Martin Pitt <mpitt@debian.org> (2015-04-16): > Hello Cyril, > > Cyril Brulebois [2015-04-16 19:40 +0200]: > > Anyway, asking for home encryption indeed leads to swap encryption, > > through a ecryptfs-setup-swap call, which in turn triggers: > > | echo "cryptswap$i UUID=$uuid /dev/urandom swap,offset=1024,cipher=aes-xts-plain64" >> /etc/crypttab > > `---[ src/utils/ecryptfs-setup-swap ]--- > > > > The same file in the Debian package has no offset, so I guess that means > > Debian is rather safe. > > Well, it actually means that it's even more broken :-( If you don't > specify an offset at all, then you can only boot this system once. > Then your partition will be overwritten with random data entirely, and > the next time you won't have any matching UUID any more, and you again > get a hanging boot (this affects sysvinit and upstart too). I. e. you > will have exactly the same effect. > > So to properly fix this, we need: > > (1) the fix to add the offset=: > https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/840 > > (Updating the used cipher would also be a good idea, but not > essential) > > This fix alone is sufficient under sysvinit and upstart. > > (2) this systemd fix to actually respect offset= when booting under > systemd. Huh? Last I checked, guided encrypted LVM just works… Mraw, KiBi.
Attachment:
signature.asc
Description: Digital signature