Le 12/07/2018 à 05:01, David Christensen a écrit :
On 07/11/18 11:29, Pascal Hambourg wrote:
Le 10/07/2018 à 05:33, David Christensen a écrit :
In the Debian Installer, I choose 'manual' for 'partitioning
method', create a new partition table (MBR), and create three primary
partitions:
1 ~1 GiB btrfs mounted at /boot
2 ~2 GiB LUKS (random key) with swap
How do you do that ?
AFAIK, you cannot set a random key with LUKS, only with plain dm-crypt.
Perhaps it is plain dm-crypt, not LUKS. (I am not familiar with the
internals of either, so my understanding is that of a parrot or blind man.)
In the Debian Installer for Stretch:
1. For "Partitioning method", choose "Manual".
2. Create partitions, including a partition for swap.
3. Move the highlight to the swap partition and press Enter to invoke
the "Partition settings" pop-up dialog, and configure as follows (note
"Encryption key" => "Random key" setting):
Partition settings:
Use as physical volume for encryption
Encryption method Device-mapper (dm-crypt)
Encryption aes
Key size 256
IV algorithm xts-plain64
Encryption key Random key
Erase data yes
Yes, this uses plain dm-crypt, not LUKS. You can see it in the resulting
/etc/crypttab (no "luks" option), and blkid/file/wipefs do not show any
LUKS header on the partition.
Note that this setup is flawed when using a partition on an SCSI-like
disk : the installer writes the device name /dev/sdX which is known to
be not persistent (that's why UUIDs are used instead when possible). But
a plain dm-crypt device has no header and UUID. It would be more
reliable to use the PARTUUID= (synthetic on a DOS-partitioned disk) instead.
