On Thu, Mar 02, 2006 at 04:31:03PM +0100, Frans Pop wrote:
> On Wednesday 01 March 2006 16:53, Martin Michlmayr wrote:
> > What's the status of partman-crypto?
>
> http://wiki.debian.org/DebianInstaller/PartmanCrypto
>
> It was also discussed in:
> http://people.debian.org/~bubulle/d-i/irc-meeting-20060128/log
I meant to reply two days ago, but then got distracted :-)
Here is a rough overview of the current status and my plans for
it. I'm CCing cryptsetup maintainers to ask if you guys would
be interested in helping with LUKS support in partman-crypto -
please see below for more about this.
1. loop-AES support
This is blocked by availability of uuencode (busybox-udeb)
and gnupg udebs.
The lack of uuencode can be worked around without too much
difficulty by making partman-crypto Arch: any and including
a minimal base64 encoder in the package. While not as elegant
as using uuencode from busybox-udeb, it could be done. waldi
has sadly (for me) not commented on the information I
provided in bug #323436, so I'm not sure how to go forward.
Lack of gnupg-udeb is more of a blocker, but I'm still
optimistic that the maintainer will find time to consider
building the udeb if the situation (and blocking nature) is
explained. I had not gotten around to this, but I have now
mailed him again, hoping to learn what he thinks.
In summary, loop-AES support is not functional without
packages from outside the archive. It can exist as an
external build of the installer for now. This does not
impede support for cryptsetup-luks and work could go on
in that direction in the meantime.
2. cryptsetup-LUKS support
Work has not started on this yet.
My estimation is that it won't be difficult to get working.
I don't have much experience with cryptsetup and don't know
enough about what are considered best practices, so I've not
started to work on this myself. I would be very happy to join
forces with people knowlegeable about it and extend/change
partman-crypto and get it working.
This is a call and offer for help with LUKS :-) Please get
in touch if you are interested. It would be great to have a
chat about how this support would look. Since I have some
free time in the next weeks, I'll start to look into this
and send lots of questions to cryptsetup maintainers :-)
3. Random sources for key generation.
For loop-AES it is essential that we have a good source of
entropy to allow us to extract the required amount of random
key data from /dev/random in finite time. Currently the low
amount of entropy inside d-i makes the key generation block
for a long time. (I'm not sure how important this point is
for key generation in LUKS setups.)
The plan here is to solicit input from people who maintain
packages related to entropy gathering in Debian, and find a
solution that will make the key generation less painful. This
may be possible to do by having a daemon like rngd that is fed
from hardware rngs, audio-entropyd, video-entropyd and other
potential sources depending on their availability.
People I plan to contact here are hmh and fw (@d.o). I hope
to get around to sending them information and questions about
this in the following weeks.
The wiki page is a little outdated, I'll update it with this
information later.
cheers,
Max
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
