On 06/03/2006 Max Vozeler wrote: > Here is a rough overview of the current status and my plans for > it. I'm CCing cryptsetup maintainers to ask if you guys would > be interested in helping with LUKS support in partman-crypto - > please see below for more about this.
generally yes, i'dd be glad to help with cryptdisk support in debian-installer. i cannot speak for the other members of the pkg-cryptsetup team, but i believe that especially work related to cryptsetup and LUKS could be done by us. > [...] > 2. cryptsetup-LUKS support > > Work has not started on this yet. > > My estimation is that it won't be difficult to get working. > I don't have much experience with cryptsetup and don't know > enough about what are considered best practices, so I've not > started to work on this myself. I would be very happy to join > forces with people knowlegeable about it and extend/change > partman-crypto and get it working. > > This is a call and offer for help with LUKS :-) Please get > in touch if you are interested. It would be great to have a > chat about how this support would look. Since I have some > free time in the next weeks, I'll start to look into this > and send lots of questions to cryptsetup maintainers :-) don't hesitate to send questions. but i'm not sure where to start currently. i read the partman-crypto wiki page, the meeting logs and the README file in parman-crypto svn, but i'm not sure that i understood how partman works. is partman a native d-i project, or is it a thirdparty software that is used in d-i? also, what exactly is partman-crypto intended to do? - configure a partition as encrypted, specify type (loop-aes, dm-crypt, luks), cypher - prepare the partition for encryption (initialize a LUKS partition, choose a passphrase or key) - start the decryption, make the decrypted device available in a way that it can be mounted - configure the system in a way that this is kept after reboot. anything else? > 3. Random sources for key generation. > > For loop-AES it is essential that we have a good source of > entropy to allow us to extract the required amount of random > key data from /dev/random in finite time. Currently the low > amount of entropy inside d-i makes the key generation block > for a long time. (I'm not sure how important this point is > for key generation in LUKS setups.) for LUKS setup this point is quite unimportant, but for preparing such a setup it might be important. as far as i know, cryptsetup itself doesn't use random entropy, but i might be wrong. but ideally the device should be filled with random data before it is initialized as encrypted (choose_partition/crypto in the README). this indeed needs lots of random entropy. another issue is encrypted swap/tmp partitions. they should not have a persistent key. ideally they use /dev/random as key. this makes them incompatible with luks (luks needs a persistent key), but with plain dm-crypt devices there is no problem. > The plan here is to solicit input from people who maintain > packages related to entropy gathering in Debian, and find a > solution that will make the key generation less painful. This > may be possible to do by having a daemon like rngd that is fed > from hardware rngs, audio-entropyd, video-entropyd and other > potential sources depending on their availability. sounds like a good plan ;-) ... jonas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
