[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#434158: marked as done (partman-crypto: due to popular demand: root on loop-aes)

Your message dated Thu, 20 Mar 2008 21:32:08 +0000
with message-id <E1JcSMq-0007tO-4J@ries.debian.org>
and subject line Bug#381895: fixed in partman-crypto 28
has caused the Debian Bug report #381895,
regarding partman-crypto: due to popular demand: root on loop-aes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

381895: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=381895
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: partman-crypto
Severity: wishlist

As you are probably aware, loop-aes is faster and more secure than cryptsetup.

crypto needs to be done using newt ("install", not installgui). this
is documented somewhere on the d-i website.

Unfortunately, the debian-installer doesn't want to let you encrypt
your root with loop-aes even if you have an unencryped /boot

First proceed to the partitioner and select encryption with loop-aes,
that will make d-i unpack the necessary files to lib/modules/*/updates

When installing from something involving an iso image, d-i will load
the wrong loop module.
Please make sure to understand the other bug report about this issue
if you are in this situation!

Next thing you need to do is patch debian-installer to not bitch about
having / on loop-aes, this can be done by modifying a file in
/lib/partman/check.d/ and removing the check (thanks to fjp for the

Now the install should go through fine.

Finally you'll want to chroot into your new system, and come up with
some loop-aes initramfs hooks so that your system will be bootable.

You can use those in the loop-aes-utils debian pkg source as a starting point:

apt-get source loop-aes-utils
tar xzvf *.tar.gz
cd util*
gunzip < ../*.diff.gz | patch -p1
grep -R debian initramfs

and execute the commented lines.

However, they are broken, so fix the bugs in the scripts.

You will also want to add a feature to these scripts so that it reads
your key from a removable media.

Remember: The "key" in your encryption IS your keyfile. the passphrase
is just an additional blocker but if your key file gets in the wrong
hands, your security is more than halved!
This means that you absolutely don't want to keep the keyfile in the initrd.

Lastly you will probably want to regen your initrd so that the system
becomes bootable:

mount proc proc -t proc
update-initramfs -k $(ls lib/modules) -u
umount proc

Confirm reboot in the debian-installer


--- End Message ---
--- Begin Message ---
Source: partman-crypto
Source-Version: 28

We believe that the bug you reported is fixed in the latest version of
partman-crypto, which is due to be installed in the Debian FTP archive:

  to pool/main/p/partman-crypto/partman-crypto-dm_28_all.udeb
  to pool/main/p/partman-crypto/partman-crypto-loop_28_all.udeb
  to pool/main/p/partman-crypto/partman-crypto_28.dsc
  to pool/main/p/partman-crypto/partman-crypto_28.tar.gz
  to pool/main/p/partman-crypto/partman-crypto_28_i386.udeb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 381895@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Max Vozeler <xam@debian.org> (supplier of updated partman-crypto package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Sat, 08 Mar 2008 17:35:48 +0100
Source: partman-crypto
Binary: partman-crypto partman-crypto-dm partman-crypto-loop
Architecture: source all i386
Version: 28
Distribution: unstable
Urgency: low
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Max Vozeler <xam@debian.org>
 partman-crypto - Add to partman support for block device encryption (udeb)
 partman-crypto-dm - Add to partman support for dm-crypt encryption (udeb)
 partman-crypto-loop - Add to partman support for loop-AES encryption (udeb)
Closes: 381895 468738 468739
 partman-crypto (28) unstable; urgency=low
   [ Max Vozeler ]
   * Allow install onto loop-AES encrypted root. Closes: #381895
   * check.d/crypto_check_mountpoints: quote $mnt as it
     may be empty. Closes: #468739
   * commit.d/unsafe_swap: replace open-coded check for
     swap on dm-crypt with call to dm_is_safe(). Closes: #468738
   * Regenerate the initramfs for root on loop-AES.
   * Make veto_filesystems/crypto executable so that it
     actually gets used.
   [ Updated translations ]
   * Bulgarian (bg.po) by Damyan Ivanov
   * Esperanto (eo.po) by Serge Leblanc
   * Basque (eu.po) by Piarres Beobide
   * French (fr.po) by Christian Perrier
   * Galician (gl.po) by Jacobo Tarrio
   * Japanese (ja.po) by Kenshi Muto
   * Korean (ko.po) by Changwoo Ryu
   * Portuguese (Brazil) (pt_BR.po) by Felipe Augusto van de Wiel (faw)
   * Portuguese (pt.po) by Miguel Figueiredo
   * Thai (th.po) by Theppitak Karoonboonyanan
 765eaaea68a786ab986bb316888afffd 799 debian-installer optional partman-crypto_28.dsc
 11229a33e64a40c39ff602cac5c8cdf2 255228 debian-installer optional partman-crypto_28.tar.gz
 db8b030dffce499b789026e1092c1d92 1366 debian-installer optional partman-crypto-dm_28_all.udeb
 9fd65b64aa90ba131e20c09c9809f850 1240 debian-installer optional partman-crypto-loop_28_all.udeb
 f818ceefb19bc031e5fd4952fe2c2bcf 220840 debian-installer optional partman-crypto_28_i386.udeb
Package-Type: udeb

Version: GnuPG v1.4.6 (GNU/Linux)


--- End Message ---

Reply to: