Bug#247054: Crypto-root patch updated to initrd-tools 0.1.70
"Wesley W. Terpstra" <firstname.lastname@example.org> - Mon, Nov 29, 2004:
> > I'm using /dev/urandom as a key file, and I'm not interested in using a
> > real key protected by a password.
> Or... do you mean swap is protected?
Yes, swap is encrypted. Nothing more, nothing less.
> Ahhh, yes. This setting up of swap in mkinitrd should probably just be
> turned off. It used to work with 'swsusp', but that is no longer in debian
> kernels. So, why configure swap at all?
It's not a point of using swsusp, I believe all dm keys should be saved
by the kernel in the swap area too -- it is kernel data after all --
and the reboot itself should be protected, either at the bootloader
level, at the initrd level (doesn't seem easy to me), or at the kernel
level (isn't easy either).
Anyway, this is off-topic, I'm not using swsusp, merely traditional
swap, and I am just willing to protect what gets swapped. What use is
a crypted root or whatever protection mechanism when any part of a file
or any part of memory can be randomly swapped by the system, and hence
be written in an easy to read area?
That's why I wated crypted swap (which I think is a must for
crypto-root), but swap is different from other filesystems since it
doesn't require one to hold the same data across reboots. That means I
can setup the swap again and again with different keys, the key doesn't
matter. Hence, there's no need to password-protect the key. And
hence, there's no need to ask me for a password.
> If mkinitrd doesn't attempt to configure swap, this problem will vanish.
Wouldn't it be a drawback for swsusp users if mkinitrd looses this?
> PS. I am presently cleaning up a patch to mount. This patch allows it to use
> use dmcrypt directly and therefore /etc/crypttab will be obsolete. The new
> system is much simpler, you keep in your /etc/fstab:
> /dev/muffin/root / reiserfs defaults,dmname=root 0 0
> /dev/muffin/home /home reiserfs defaults,keyfile=/etc/keys/home,dmname=home 0 0
> /dev/muffin/usr /usr reiserfs defaults,keyfile=/etc/keys/usr,dmname=usr 0 0
> /dev/muffin/opt /opt reiserfs defaults,keyfile=/etc/keys/opt,dmname=opt 0 0
> /dev/muffin/swap swap swap swap,keyfile=/etc/keys/swap,dmname=swap 0 0
> Or something similar.
I don't see how your setup permits chaining, that is the ability to
cascade a RAID 1 mapped device, with a crypted device, but we're
Loïc Minier <email@example.com>