On 3/9/08, Anders Lennartsson <[EMAIL PROTECTED]> wrote: > On Sun, 2008-03-09, at 21:24:50 +0100, Martin Michlmayr wrote: > > * Anders Lennartsson <[EMAIL PROTECTED]> [2008-02-24 07:42]: > > > Feb 23 19:03:55 anna[9635]: DEBUG: resolver (crypto-modules): package > > > doesn't exist (ignored) > > > > > > and a short investigation gives that it seems natural because they are > > > not built by the source package: > > > http://packages.debian.org/source/etch/linux-kernel-di-arm-2.6 > > > > Thanks for your report. I'll add crypto-modules when we update the > > installer to 2.6.24. (Which will happen after beta1 is released, > > which should hopefully be soon.) > > -- > > Martin Michlmayr > > http://www.cyrius.com/ > > Thanks for spotting my report and adding the modules. > > As a further note on the subject of this thread, I did manage to > install Debian Etch on a fully encrypted USB-stick (1 GB) with two > partitions, one for root and one for swap. I used default settings for > LUKS encryption which I belive is 128 bits. My impression is that it > didn't really affect performance but I have not made any objective > tests of this. > > Building the heimdal 1.0.1 packages (yes a backport) on a slug > with un-encrypted 700 MB root partition and 300 MB swap (1GB SanDisk > USB-stick) takes between 4 and 5 hours. My plan was to check how long > time this took on the same device but with encrypted > partitions. Unfortunately I selected a slightly smaller swap partition > (250 MB or so) and gcc or the linker failed at some point when memory was > depleted. The evidence of this was seen in the syslog. > > My install procedure was similar to the wiki entry > http://www.nslu2-linux.org/wiki/Debian/CreateAnEncryptedRootFilesystemWithLUKS > and I wouldn't have made such rapid progress without this > information. Thanks guys! > > A big difference is that instead of a key hidden in a file, I opted > for entering the LUKS pass phrase at boot time but over a serial > port. Some soldering was necessary to make this possible but that is > described in several good web articles and my serial port works > nicely. > > > The following is a crude outline of how I managed to do the install. I > may have omitted something crucial, which you may find out if you try > to copy the procedure. > > Since currently the install process can not be done directly onto an > encrypted fs, I used two 1-GB USB memory-sticks. One was for a normal > install and the other for the encrypted install. For the first install > I placed a stick in the upper USB connector. This will be > /dev/sdb. After a normal install of Debian on this USB-memory, I > installed the package cryptsetup. Then I inserted the second media in > the lower connector. This is /dev/sda. Prior to that I had tested the > second USB-memory on my desktop and also filled it with stuff from > /dev/urandom on that computer, which is slightly quicker than the > slug. But I did also test this on the slug, and 1 GB was filled with > garbage in about half an hour. Not so bad. > > After partitioning similarly sized partitions (but not exactly :( , I > created encrypted partitions and opened them, built ext3 (/dev/sda1) > and swap (/dev/sda2) respectively on them, and mounted sda1. Then I > copied the installation from the unencrypted install, and then came > the tricky part, configuring and writing the boot stuff. A chroot to > /dev/sda1 (or where it is mounted...), installing yaird, and some > fiddling with files according to the wiki entry above, resulted in a > successful boot into the encrypted root partition after just one(!) > reflash with the boot image for the unencrypted stick. This points to > the accuracy of the wiki howto. (Do please follow their advice to make a > copy of the boot sectors after the first install.) Since I was > planning to keep the stick with the encrypted fs in the lower port it > was actually all quite simple. I had to configure the system (yaird, > fstab, ...) to have /dev/sda1 for root, and as this partition was > actually already located there left litte room for confusion (in the > second try). In addition, yaird needs only to know about the standard > procedure for obtaining a LUKS pass phrase at boot time, which the > serial port console solves. So no hacking for using a key-file was > necessary. > > With minicom configured to the correct tty (and functionaly checked > before rebooting), the prompts for pass phrases came as expected > during the boot process, after which the boot continued normally. > > Anders > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Anders, Is there any way to incoporate this hint: http://www.debian-administration.org/articles/579 where usage of serial port would be avoided? ;-) br -- .''`. Admir Trakic : :' : Debian Gnu/Linux user #99405 `. `' http://www.trakic.com/ `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
