[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: partman-auto-crypto



On Sunday 20 August 2006 12:15, David Härdeman wrote:
> As far as I know, the major outstanding issue is that of keyboard
> input. Currently it seems that d-i does not allow UTF8 input which
> means that passphrases with non-ascii characters won't work after
> reboot into the newly installed system.
>
> So it would really be nice to have a fix for #365308 which has been
> open since April and affects other parts of d-i as well (such as
> username input).

Yes, but we need some expert help on that...

> Oh, and we need a more thorough check for unencrypted swap.

Is it correct that having an unencrypted swap will prevent the crypto 
option from being shown at all? I understood that from various comments. 
Seems to me that is very much non-intuitive.

> Are you aware of any other major partman-crypto issues not in the BTS?

Support in graphical installer would be nice to have before the release.

> As for lvm, I don't see any new bugs against partman-lvm, what issues
> are you referring to?

The issues are mainly in partman-auto-lvm which partman-auto-crypto is 
based on (and thus also affected by).

> Another alternative is to not change the partman-auto main menu at all.
> The menu might get crowded but that is mostly an issue with > 2 disks
> which is not a very common scenario. This would allow p-a-c to be added
> without any changes (the issue of overcrowding is orthogonal to p-a-c
> IMHO, p-a-c just makes the problem more immediate).

IMO we would at least have to move "manual partitioning" to the top. There 
is also the issue of text getting cut of because strings are getting too 
long. This may make it impossible for users to see which disk they are 
selecting with which type of auto-partitioning and IMO that _is_ an RC 
issue that necessitates a reorganization.

> This was my original plan before you brought up the issue of crowding
> the menu :)

Yes, I know :-) But I really feel at this point that we should not do one 
without the other.

> I think we could in fact have three levels of screens with the last one
> being along the lines of "Warning: the content of disk(s) X, Y and Z is
> going to be erased. This means that the data will be permanently
> lost..etc..etc..etc..etc. Do you want to continue?".

Note that for classic partitioning the erase is not irreversible at that 
point. If you choose "undo changes" from the main partman screen, you get 
your current partition layout back.

> >> This allows multiple disks to be used for LVM or RAID and should
> >> simplify the preseeding to use two values: method and disks to use.
> >
> >What RAID level(s) are you assuming/wanting to support here?
>
> I'm not involved in the RAID part of partman, but I'd assume that
> levels 0, 1 and 5 would be offered.

I' not sure that is a good idea:
- it would mean adding yet another question to select the RAID level
- it would add serious complexity to the partman-auto scripts
- I doubt that people who want RAID5 will be happy with the default
  schemes anyway and would prefer manual partitioning

My feeling is that RAID0 is fairly uncommon, but that supporting RAID1 is 
probably useful for less experienced users. So, I'd propose to limit RAID 
support in partman-auto to RAID1.

> >Without yet having looked at the code...
> >For p-a-c, what I have been wondering about is which partitions should
> > be encrypted by default for the different schemes. From comments in
> > earlier threads I understand that having e.g. /usr encrypted isn't
> > all that useful.
>
> Allows /usr to be managed with the LVM tools as well

No, that is a limitation in the current implementation and would be solved 
by using separate flags for lvm and crypto.

> Avoids any accidental disclosure of information, e.g. there is
> /usr/local which may contain something of interest. Or the user may not
> want it to be known even which programs he has installed.
>
> The disadvantage is of course performance.

Which is an edge case and not main usage. IMO the performance argument 
outweighs that edge case.

> I think we should err on the side of caution and encrypt everything by
> default.

Well, I'd prefer to do what users expect when selecting automatic 
partitioning using crypto...
I think that users selecting the "home" scheme probably care more about 
what is in there than on the rest of their system.

Again, IMO partman-auto-* is not for super-sensitive specialized setups, 
but rather for rather average users who would like some extra security 
for their sensitive data.

> >So what partitions does p-a-c set up encrypted currently? I could
> > imagine something like ("<c>" indicates encryption):
> >"atomic": / <c>, /boot, swap <c>
> >"home":   /, /boot, /home <c>, swap <c> (so, / not encrypted)
> >"multi":  /, /boot, /tmp <c>, /usr, /var <c>, /home <c>, swap <c>
> >          (maybe / should be encrypted too in this case)
>
> I would definately encrypt / as well. /etc usually contains a lot of
> good information for an attacker (e.g. /etc/shadow).

OK, except that IMHO that is not sufficient reason to encrypt everything 
else too in the case of the "home" recipe.

> >Something like this would possibly be needed anyway for arches that
> > have special bootloader partitions (see for example the "palo"
> > partition in recipes-hppa). Or do you already have a different method
> > for dealing with those?
>
> Right now all partitions which are marked as $lvmok { } are encrypted.
> I assume that "palo" partitions and other special partitions aren't
> marked as $lvmok?

OK. That should be fine. Although I do think that a separate flag would be 
better:
- adds flexibility
- $lvmok is a misnomer if it also determines if crypto is supported

If you want to check for both flags to prevent setting up crypto on a 
non-lvm partition, that would be fine.

Attachment: pgplOHPb95WXf.pgp
Description: PGP signature


Reply to: