Bug#378651: crypto installation report
Package: installation-reports
Boot method: netboot/mini.iso
Image version: 2006-07-17 daily from
http://people.debian.org/~fjp/d-i/images/2006-07-17/netboot/mini.iso
Machine: VMWare Player 1.0.1 build-19317
Memory: 128MB
Partitions:
Filesystem Type Size Used Avail Use% Mounted on
/dev/sda1 ext3 897M 292M 558M 35% /
tmpfs tmpfs 63M 0 63M 0% /dev/shm
/dev/sda2 ext3 89M 4.1M 80M 5% /home
/dev/mapper/crypt0
ext3 88M 4.1M 79M 5% /opt
/dev/sda5 ext3 92M 5.7M 81M 7% /tmp
tmpfs tmpfs 10M 96K 10M 1% /dev
# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/sda1 / ext3 defaults,errors=remount-ro 0 1
/dev/sda2 /home ext3 defaults,loop=/dev/loop0,encryption=AES256,gpgkey=/etc/loopkeys/_dev_sda2.gpg 0 0
/dev/mapper/crypt0 /opt ext3 defaults 0 2
/dev/sda5 /tmp ext3 defaults,loop=/dev/loop2,encryption=serpent256,phash=random/1777 0 0
/dev/sda3 none swap sw,loop=/dev/loop1,encryption=AES256 0 0
/dev/hdc /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto 0 0
/etc/crypttab:
crypt0 /dev/sda6 none luks
losetup -a:
/dev/loop/0: [000c]:4266 (/dev/sda2) encryption=AES256 multi-key-v3
/dev/loop1: [000c]:4337 (/dev/sda3) offset=4096 encryption=AES256 multi-key-v3
/dev/loop2: [000c]:4333 (/dev/sda5) encryption=serpent256 multi-key-v3
/proc/swaps:
Filename Type Size Used Priority
/dev/loop1 partition 96376 0 -1
Initial boot worked: [O]
Configure network HW: [O]
Config network: [O]
Detect CD: [O]
Load installer modules: [O]
Detect hard drives: [O]
Partition hard drives: [O]
Create file systems: [O]
Mount partitions: [O]
Install base system: [O]
Install boot loader: [O]
Reboot: [E]
Comments/Problems:
This install was focused on testing partman-crypto; Everything
else worked nicely as expected.
The installed system had two crypto-related problems:
1. The kernel module that provides the serpent cipher for
loop-AES was not automatically loaded during boot (loop_serpent).
As a result, the system booted up without interruption but also
without encrypted /tmp. Something in partman-crypto needs to add
the required modules to /target/etc/modules; This applies to
modules loop_twofish and loop_serpent. I'm currently testing a
change that adds the required modules.
2. Once loop_serpent was included in /etc/modules, checkfs-loop
tried to fsck the /dev/sda5 partition, which was designated to be
used for encrypted /tmp. This failed because the mount option
phash=random/1777 makes mount use random keys and recreate the
filesystem at each boot. checkfs-loop runs earlier than mount and
so of course cannot fsck correctly. The system stopped booting at
this point and asked for manual repair of the failed fsck. This
can be fixed by excluding loop mounts with a phash=random* option
from being fsck'ed in the checkfs-loop rcS.d script
(loop-aes-utils, change pending upload)
3. Documentation: I can confirm that the checkfs-loop script (which
does the passphrase prompting for loop-AES partitions during
boot) now shows a full prompt including the mountpoint, format:
"Setting up $loop ($mnt)". This is good on the one hand in that
it works as intended, but means that section 7.2.1. loop-AES of
the d-i manual is mostly obsolete. Can we still drop parts of the
manual at this point, without disrupting the beta3 release? Else
I'll try to figure out the correct package to file a bug+patch
against so that we can drop this section post beta3.
cheers,
Max
Reply to: