Hello Cyril, Cyril Brulebois [2015-04-16 19:40 +0200]: > Anyway, asking for home encryption indeed leads to swap encryption, > through a ecryptfs-setup-swap call, which in turn triggers: > | echo "cryptswap$i UUID=$uuid /dev/urandom > swap,offset=1024,cipher=aes-xts-plain64" >> /etc/crypttab > `---[ src/utils/ecryptfs-setup-swap ]--- > > The same file in the Debian package has no offset, so I guess that means > Debian is rather safe.
Well, it actually means that it's even more broken :-( If you don't
specify an offset at all, then you can only boot this system once.
Then your partition will be overwritten with random data entirely, and
the next time you won't have any matching UUID any more, and you again
get a hanging boot (this affects sysvinit and upstart too). I. e. you
will have exactly the same effect.
So to properly fix this, we need:
(1) the fix to add the offset=:
https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/840
(Updating the used cipher would also be a good idea, but not
essential)
This fix alone is sufficient under sysvinit and upstart.
(2) this systemd fix to actually respect offset= when booting under
systemd.
Thanks,
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: Digital signature
_______________________________________________ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
