On 07/11/18 22:40, Pascal Hambourg wrote:
Le 12/07/2018 à 05:01, David Christensen a écrit :
On 07/11/18 11:29, Pascal Hambourg wrote:
Le 10/07/2018 à 05:33, David Christensen a écrit :
In the Debian Installer, I choose 'manual' for 'partitioning
method', create a new partition table (MBR), and create three
primary partitions:
1 ~1 GiB btrfs mounted at /boot
2 ~2 GiB LUKS (random key) with swap
How do you do that ?
AFAIK, you cannot set a random key with LUKS, only with plain dm-crypt.
Perhaps it is plain dm-crypt, not LUKS. (I am not familiar with the
internals of either, so my understanding is that of a parrot or blind
man.)
In the Debian Installer for Stretch:
1. For "Partitioning method", choose "Manual".
2. Create partitions, including a partition for swap.
3. Move the highlight to the swap partition and press Enter to invoke
the "Partition settings" pop-up dialog, and configure as follows (note
"Encryption key" => "Random key" setting):
Partition settings:
Use as physical volume for encryption
Encryption method Device-mapper (dm-crypt)
Encryption aes
Key size 256
IV algorithm xts-plain64
Encryption key Random key
Erase data yes
Yes, this uses plain dm-crypt, not LUKS. You can see it in the resulting
/etc/crypttab (no "luks" option),
crypttab(5) -- yes:
2018-07-12 18:04:20 root@po ~
# grep sda2 /etc/crypttab
sda2_crypt
/dev/disk/by-id/ata-INTEL_SSDSC2CW060A3_******************-part2
/dev/urandom cipher=aes-xts-plain64,size=256,swap
2018-07-12 18:07:43 root@po ~
# grep sda3 /etc/crypttab
sda3_crypt UUID=0152d2e2-4cfb-42c4-a121-6fb832962e47
none luks
and blkid/file/wipefs do not show any
LUKS header on the partition.
blkid(8) -- yes:
2018-07-12 17:54:05 root@po ~
# blkid /dev/sda1
/dev/sda1: LABEL="po_boot" UUID="6ff0dd1d-8d46-454b-bb35-a09afc47145a"
UUID_SUB="47a80883-0378-43da-b5e2-0ae9f87e2c95" TYPE="btrfs"
PARTUUID="8d34b557-01"
2018-07-12 17:54:22 root@po ~
# blkid /dev/sda2
/dev/sda2: PARTUUID="8d34b557-02"
2018-07-12 17:54:23 root@po ~
# blkid /dev/sda3
/dev/sda3: UUID="0152d2e2-4cfb-42c4-a121-6fb832962e47"
TYPE="crypto_LUKS" PARTUUID="8d34b557-03"
file(1) -- no:
2018-07-12 17:55:01 root@po ~
# file /dev/sda1
/dev/sda1: block special (8/1)
2018-07-12 17:55:26 root@po ~
# file /dev/sda2
/dev/sda2: block special (8/2)
2018-07-12 17:55:28 root@po ~
# file /dev/sda3
/dev/sda3: block special (8/3)
wipefs(8) -- not today (!).
Therefore, I should say I set up the second partition on my system
drives as follows:
2 ~2 GiB dm-crypt (random key) with swap
Note that this setup is flawed when using a partition on an SCSI-like
disk : the installer writes the device name /dev/sdX which is known to
be not persistent (that's why UUIDs are used instead when possible). But
a plain dm-crypt device has no header and UUID. It would be more
reliable to use the PARTUUID= (synthetic on a DOS-partitioned disk)
instead.
I have been using /dev/disk/by-id/* successfully for a while, but
/dev/disk/by-partuuid sounds even better -- this will prevent confusion
if and when I move partitions or images to other devices.
Thank you for the pointers. :-)
David
