[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Encrypted swap and partitions

Hello !

Mandrake features encrypted swap and encrypted partition since at
least 8.2. Putting support of such a thing in Debian is relatively
easy. I have filled a bug against cryptoloop-source for this
(#203538). I have modified mountall.sh to allow encrypted swap (the
source code is mostly taken from Mandrake). I could fill a bug about
this against package initscripts but I don't know if a bug is a good
place to discuss about general implementation of such a thing.

Encrypted swap could be used as soon as there is some kind of
cryptographic support in the kernel. The performance impact is
relatively low. To use this with Mandrake, you just pass the option
"encrypted" in /etc/fstab. The Mandrake scripts assume that loop-aes
is in the kernel. With Debian, you can patch your kernel either with
loop-aes, either with kerneli patches (don't know what flavour has
been put in 2.6). If such feature is to be integrated into Debian,
should it support both ?

Encrypted partitions need user interaction to be mounted (the password
is not generated on the fly, like for the swap), so it is only usable
on laptops and maybe on some home systems. mount has a bug and does
not understand that the keybit option is to be passed to losetup (I
have to check if there is a bug against this). This bug apart, you
just have to put a line with loop and encryption option in your
/etc/fstab and this will work. If the auto keyword is present, the
volume will be mounted on startup. This can be a bit annoying if
nobody is here to enter the password. Mandrake asks for the user is
such partitions have to be mounted (and it displays their names, it is
useful if you have several encrypted partitions) and there is a
timeout. mount may need to be patched to allow the "noencrypted"
keyword to avoid that mount -a tries to mount this kind of
partition. I have not checked that.

The conclusion is that adding such support to Debian would need to
fill bugs against several packages without knowing what is best (for
example, mounting encrypted swap could be done in mountall.sh or in a
dedicated script coming along with cryptoloop). Does someone has some
guidelines about this ?
-- 
I AM NOT MY LONG-LOST TWIN
I AM NOT MY LONG-LOST TWIN
I AM NOT MY LONG-LOST TWIN
-+- Bart Simpson on chalkboard in episode 4F03
Reply to: