Hi Jonas, On Mon, Mar 06, 2006 at 10:06:33PM +0100, Jonas Meurer wrote: > On 06/03/2006 Max Vozeler wrote: > > I'm CCing cryptsetup maintainers to ask if you guys would > > be interested in helping with LUKS support in partman-crypto - > > please see below for more about this. > > generally yes, i'dd be glad to help with cryptdisk support in > debian-installer. i cannot speak for the other members of the > pkg-cryptsetup team, but i believe that especially work related > to cryptsetup and LUKS could be done by us.
That's cool :-) > don't hesitate to send questions. but i'm not sure where to > start currently. i read the partman-crypto wiki page, the > meeting logs and the README file in parman-crypto svn, but i'm > not sure that i understood how partman works. is partman a > native d-i project, or is it a thirdparty software that is used > in d-i? partman is Debian and d-i native. A good source for information about partman in general is the partman manual (in d-i svn: installer/doc/devel/partman/). For information about -crypto it is probably easiest if you just ask me - we could also meet on IRC some time. > also, what exactly is partman-crypto intended to do? What you listed is basically what it does. I'll add some thoughts on the differences and on changes that might be required for plain dm-crypt and LUKS. > - configure a partition as encrypted, specify type > (loop-aes, dm-crypt, luks), cypher Yes. For loop-AES we ask about the cipher and type of encryption key. Keysize is implied for each cipher. This is probably different for dm-crypt setups: I suppose it would need to ask about the keysize and volume name, and could ask about hash function - and perhaps other options? The option handling is done in active_partition/*; README is a little outdated in this regard because of changes I made today. I'll update it shortly. > - prepare the partition for encryption > choose a passphrase or key) This is the part I'm most clueless about. :-) Which key types are supported and which are recommended for dm-crypt and LUKS respectively? partman-crypto currently knows about two key types: random and keyfile (loop-AES GnuPG-encrypted). It also has provisions for asking for a plain passphrase. Other key types will probably require some new code. crypttab(5) mentions keyfiles; Do you know if they are comparable to loop-AES keyfiles? The passphrase question and key creation happens in choose_partition/crypto/do_option and blockdev-keygen. The latter will need some work to provide a nice progress bar. > - start the decryption, make the decrypted device available in a way > that it can be mounted Yes. I suppose we do the LUKS format at the same time we currently do losetup for loop-AES, then we create a crypttab and do the equivalent of /etc/init.d/cryptdisks start. Am I understanding this correctly? After that, this should need little or no changes. We just provide the encrypted device to partman as if it was a normal disk with just one partition. The settings for the partition, filesystem etc. are then handled by partman, checked and entered into /etc/fstab. Most of this happens in choose_partition/crypto/do_option - it sets up the encrypted device, wipes the partition and then restarts partman. init.d/crypto then creates a partman disk and partition and makes it available to partman. > - configure the system in a way that this is kept after reboot. Yes. I suppose we'd need to copy crypttab onto the target system and make sure cryptsetup is installed? This should be relatively easy to do. Scripts in finish.d/ are responsible for doing this. The target system is mounted in /target. > > 3. Random sources for key generation. > for LUKS setup this point is quite unimportant, but for > preparing such a setup it might be important. as far as i know, > cryptsetup itself doesn't use random entropy, but i might be > wrong. but ideally the device should be filled with random data > before it is initialized as encrypted (choose_partition/crypto > in the README). this indeed needs lots of random entropy. Here we could re-use what is done for loop-AES: Initialize an encrypted loop device with random key and just dd if=/dev/zero of=/dev/loop. The advantage being that it consumes rather little entropy and is relatively fast. > another issue is encrypted swap/tmp partitions. they should not > have a persistent key. ideally they use /dev/random as key. this > makes them incompatible with luks (luks needs a persistent key), > but with plain dm-crypt devices there is no problem. Can plain dm-crypt and LUKS be used at the same time and within the same cryptsetup configuration file? Excuse my ignorance - I should really take a closer look at how cryptsetup works. :-) cheers, Max -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
