Bug#434158: partman-crypto: due to popular demand: root on loop-aes
Package: partman-crypto
Severity: wishlist
As you are probably aware, loop-aes is faster and more secure than cryptsetup.
crypto needs to be done using newt ("install", not installgui). this
is documented somewhere on the d-i website.
Unfortunately, the debian-installer doesn't want to let you encrypt
your root with loop-aes even if you have an unencryped /boot
First proceed to the partitioner and select encryption with loop-aes,
that will make d-i unpack the necessary files to lib/modules/*/updates
When installing from something involving an iso image, d-i will load
the wrong loop module.
Please make sure to understand the other bug report about this issue
if you are in this situation!
Next thing you need to do is patch debian-installer to not bitch about
having / on loop-aes, this can be done by modifying a file in
/lib/partman/check.d/ and removing the check (thanks to fjp for the
pointer).
Now the install should go through fine.
Finally you'll want to chroot into your new system, and come up with
some loop-aes initramfs hooks so that your system will be bootable.
You can use those in the loop-aes-utils debian pkg source as a starting point:
apt-get source loop-aes-utils
tar xzvf *.tar.gz
cd util*
gunzip < ../*.diff.gz | patch -p1
grep -R debian initramfs
and execute the commented lines.
However, they are broken, so fix the bugs in the scripts.
You will also want to add a feature to these scripts so that it reads
your key from a removable media.
Remember: The "key" in your encryption IS your keyfile. the passphrase
is just an additional blocker but if your key file gets in the wrong
hands, your security is more than halved!
This means that you absolutely don't want to keep the keyfile in the initrd.
Lastly you will probably want to regen your initrd so that the system
becomes bootable:
mount proc proc -t proc
update-initramfs -k $(ls lib/modules) -u
umount proc
Confirm reboot in the debian-installer
Enjoy
Reply to: