Bug#434158: marked as done (partman-crypto: due to popular demand: root on loop-aes)
Your message dated Thu, 20 Mar 2008 21:32:08 +0000
with message-id <E1JcSMq-0007tO-4J@ries.debian.org>
and subject line Bug#381895: fixed in partman-crypto 28
has caused the Debian Bug report #381895,
regarding partman-crypto: due to popular demand: root on loop-aes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact email@example.com
Debian Bug Tracking System
Contact firstname.lastname@example.org with problems
--- Begin Message ---
- To: email@example.com
- Subject: partman-crypto: due to popular demand: root on loop-aes
- From: "Nemui Ailin" <firstname.lastname@example.org>
- Date: Sun, 22 Jul 2007 08:13:55 +0800
- Message-id: <email@example.com>
As you are probably aware, loop-aes is faster and more secure than cryptsetup.
crypto needs to be done using newt ("install", not installgui). this
is documented somewhere on the d-i website.
Unfortunately, the debian-installer doesn't want to let you encrypt
your root with loop-aes even if you have an unencryped /boot
First proceed to the partitioner and select encryption with loop-aes,
that will make d-i unpack the necessary files to lib/modules/*/updates
When installing from something involving an iso image, d-i will load
the wrong loop module.
Please make sure to understand the other bug report about this issue
if you are in this situation!
Next thing you need to do is patch debian-installer to not bitch about
having / on loop-aes, this can be done by modifying a file in
/lib/partman/check.d/ and removing the check (thanks to fjp for the
Now the install should go through fine.
Finally you'll want to chroot into your new system, and come up with
some loop-aes initramfs hooks so that your system will be bootable.
You can use those in the loop-aes-utils debian pkg source as a starting point:
apt-get source loop-aes-utils
tar xzvf *.tar.gz
gunzip < ../*.diff.gz | patch -p1
grep -R debian initramfs
and execute the commented lines.
However, they are broken, so fix the bugs in the scripts.
You will also want to add a feature to these scripts so that it reads
your key from a removable media.
Remember: The "key" in your encryption IS your keyfile. the passphrase
is just an additional blocker but if your key file gets in the wrong
hands, your security is more than halved!
This means that you absolutely don't want to keep the keyfile in the initrd.
Lastly you will probably want to regen your initrd so that the system
mount proc proc -t proc
update-initramfs -k $(ls lib/modules) -u
Confirm reboot in the debian-installer
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is fixed in the latest version of
partman-crypto, which is due to be installed in the Debian FTP archive:
A summary of the changes between this version and the previous one is
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to firstname.lastname@example.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
Max Vozeler <email@example.com> (supplier of updated partman-crypto package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing firstname.lastname@example.org)
-----BEGIN PGP SIGNED MESSAGE-----
Date: Sat, 08 Mar 2008 17:35:48 +0100
Binary: partman-crypto partman-crypto-dm partman-crypto-loop
Architecture: source all i386
Maintainer: Debian Install System Team <email@example.com>
Changed-By: Max Vozeler <firstname.lastname@example.org>
partman-crypto - Add to partman support for block device encryption (udeb)
partman-crypto-dm - Add to partman support for dm-crypt encryption (udeb)
partman-crypto-loop - Add to partman support for loop-AES encryption (udeb)
Closes: 381895 468738 468739
partman-crypto (28) unstable; urgency=low
[ Max Vozeler ]
* Allow install onto loop-AES encrypted root. Closes: #381895
* check.d/crypto_check_mountpoints: quote $mnt as it
may be empty. Closes: #468739
* commit.d/unsafe_swap: replace open-coded check for
swap on dm-crypt with call to dm_is_safe(). Closes: #468738
* Regenerate the initramfs for root on loop-AES.
* Make veto_filesystems/crypto executable so that it
actually gets used.
[ Updated translations ]
* Bulgarian (bg.po) by Damyan Ivanov
* Esperanto (eo.po) by Serge Leblanc
* Basque (eu.po) by Piarres Beobide
* French (fr.po) by Christian Perrier
* Galician (gl.po) by Jacobo Tarrio
* Japanese (ja.po) by Kenshi Muto
* Korean (ko.po) by Changwoo Ryu
* Portuguese (Brazil) (pt_BR.po) by Felipe Augusto van de Wiel (faw)
* Portuguese (pt.po) by Miguel Figueiredo
* Thai (th.po) by Theppitak Karoonboonyanan
765eaaea68a786ab986bb316888afffd 799 debian-installer optional partman-crypto_28.dsc
11229a33e64a40c39ff602cac5c8cdf2 255228 debian-installer optional partman-crypto_28.tar.gz
db8b030dffce499b789026e1092c1d92 1366 debian-installer optional partman-crypto-dm_28_all.udeb
9fd65b64aa90ba131e20c09c9809f850 1240 debian-installer optional partman-crypto-loop_28_all.udeb
f818ceefb19bc031e5fd4952fe2c2bcf 220840 debian-installer optional partman-crypto_28_i386.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----
--- End Message ---