Re: [Pkg-cryptsetup-devel] Re: Status of partman-crypto
Hi Jonas,
On Mon, Mar 06, 2006 at 10:06:33PM +0100, Jonas Meurer wrote:
> On 06/03/2006 Max Vozeler wrote:
> > I'm CCing cryptsetup maintainers to ask if you guys would
> > be interested in helping with LUKS support in partman-crypto -
> > please see below for more about this.
>
> generally yes, i'dd be glad to help with cryptdisk support in
> debian-installer. i cannot speak for the other members of the
> pkg-cryptsetup team, but i believe that especially work related
> to cryptsetup and LUKS could be done by us.
That's cool :-)
> don't hesitate to send questions. but i'm not sure where to
> start currently. i read the partman-crypto wiki page, the
> meeting logs and the README file in parman-crypto svn, but i'm
> not sure that i understood how partman works. is partman a
> native d-i project, or is it a thirdparty software that is used
> in d-i?
partman is Debian and d-i native. A good source for
information about partman in general is the partman manual
(in d-i svn: installer/doc/devel/partman/). For information
about -crypto it is probably easiest if you just ask me -
we could also meet on IRC some time.
> also, what exactly is partman-crypto intended to do?
What you listed is basically what it does. I'll add some
thoughts on the differences and on changes that might be
required for plain dm-crypt and LUKS.
> - configure a partition as encrypted, specify type
> (loop-aes, dm-crypt, luks), cypher
Yes. For loop-AES we ask about the cipher and type of
encryption key. Keysize is implied for each cipher. This is
probably different for dm-crypt setups: I suppose it would
need to ask about the keysize and volume name, and could
ask about hash function - and perhaps other options?
The option handling is done in active_partition/*; README
is a little outdated in this regard because of changes I
made today. I'll update it shortly.
> - prepare the partition for encryption
> choose a passphrase or key)
This is the part I'm most clueless about. :-)
Which key types are supported and which are recommended
for dm-crypt and LUKS respectively?
partman-crypto currently knows about two key types: random
and keyfile (loop-AES GnuPG-encrypted). It also has provisions
for asking for a plain passphrase. Other key types will
probably require some new code. crypttab(5) mentions keyfiles;
Do you know if they are comparable to loop-AES keyfiles?
The passphrase question and key creation happens in
choose_partition/crypto/do_option and blockdev-keygen. The
latter will need some work to provide a nice progress bar.
> - start the decryption, make the decrypted device available in a way
> that it can be mounted
Yes. I suppose we do the LUKS format at the same time we
currently do losetup for loop-AES, then we create a crypttab
and do the equivalent of /etc/init.d/cryptdisks start. Am I
understanding this correctly?
After that, this should need little or no changes. We just
provide the encrypted device to partman as if it was a normal
disk with just one partition. The settings for the partition,
filesystem etc. are then handled by partman, checked and
entered into /etc/fstab.
Most of this happens in choose_partition/crypto/do_option -
it sets up the encrypted device, wipes the partition and then
restarts partman. init.d/crypto then creates a partman disk
and partition and makes it available to partman.
> - configure the system in a way that this is kept after reboot.
Yes. I suppose we'd need to copy crypttab onto the target
system and make sure cryptsetup is installed? This should be
relatively easy to do. Scripts in finish.d/ are responsible
for doing this. The target system is mounted in /target.
> > 3. Random sources for key generation.
> for LUKS setup this point is quite unimportant, but for
> preparing such a setup it might be important. as far as i know,
> cryptsetup itself doesn't use random entropy, but i might be
> wrong. but ideally the device should be filled with random data
> before it is initialized as encrypted (choose_partition/crypto
> in the README). this indeed needs lots of random entropy.
Here we could re-use what is done for loop-AES: Initialize an
encrypted loop device with random key and just dd if=/dev/zero
of=/dev/loop. The advantage being that it consumes rather
little entropy and is relatively fast.
> another issue is encrypted swap/tmp partitions. they should not
> have a persistent key. ideally they use /dev/random as key. this
> makes them incompatible with luks (luks needs a persistent key),
> but with plain dm-crypt devices there is no problem.
Can plain dm-crypt and LUKS be used at the same time and
within the same cryptsetup configuration file? Excuse my
ignorance - I should really take a closer look at how
cryptsetup works. :-)
cheers,
Max
Reply to: