Hi list. On ROCK Linux we are currently thinking about moving from our own system calling dmsetup directly to cryptsetup-luks. If I understand it correctly LUKS works like this: Consider this your partition you want to encrypt: |-----------------------------------------------| Now LUKS puts itself into the first 1032 blocks of the partition: |LUKS|------------------------------------------| 1032 equals to 0.5 Megabyte. In there it stores up to eight actual encryption keys which can be unlocked using a passphrase. This means that it isn't possible to go to and back from an encrypted filesystem. I don't like this and as such I propose the following: All filesystems we create should be passed through dmsetup which configures them to not use those first 1032 blocks. This enables the user to use dd to encrypt or decrypt a filesystem should the need arise to do so. Is this thought correct or am I missing something? My test using a partition showed this: -----8<-----8<-----8<-----8<----- root@crazyhorse:~# echo " 0 $(( 1992060 - 1032 )) linear /dev/discs/disc0/part2 1032 " | dmsetup create bar root@crazyhorse:~# disktype /dev/mapper/bar --- /dev/mapper/bar Block device, size 972.2 MiB (1019406336 bytes) Linux swap, version 2, subversion 1, 4 KiB pages, little-endian Swap size 972.2 MiB (1019396096 bytes, 248876 pages of 4 KiB) root@crazyhorse:~# cryptsetup luksFormat /dev/discs/disc0/part2 WARNING! ======== This will overwrite data on /dev/discs/disc0/part2 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful. root@crazyhorse:~# echo " 0 $(( 1992060 - 1032 )) linear /dev/discs/disc0/part2 1032 " | dmsetup create bar root@crazyhorse:~# disktype /dev/mapper/bar --- /dev/mapper/bar Block device, size 972.2 MiB (1019406336 bytes) Linux swap, version 2, subversion 1, 4 KiB pages, little-endian Swap size 972.2 MiB (1019396096 bytes, 248876 pages of 4 KiB) root@crazyhorse:~# cryptsetup luksOpen /dev/discs/disc0/part2 foo Enter LUKS passphrase: key slot 0 unlocked. Command successful. root@crazyhorse:~# disktype /dev/mapper/{foo,bar} --- /dev/mapper/foo Block device, size 972.2 MiB (1019406336 bytes) --- /dev/mapper/bar Block device, size 972.2 MiB (1019406336 bytes) Linux swap, version 2, subversion 1, 4 KiB pages, little-endian Swap size 972.2 MiB (1019396096 bytes, 248876 pages of 4 KiB) root@crazyhorse:~# dd if=/dev/mapper/bar of=/dev/mapper/foo bs=1M 972+1 records in 972+1 records out 1019406336 bytes (1.0 GB) copied, 43.9781 seconds, 23.2 MB/s root@crazyhorse:~# disktype /dev/mapper/{foo,bar} --- /dev/mapper/foo Block device, size 972.2 MiB (1019406336 bytes) Linux swap, version 2, subversion 1, 4 KiB pages, little-endian Swap size 972.2 MiB (1019396096 bytes, 248876 pages of 4 KiB) --- /dev/mapper/bar Block device, size 972.2 MiB (1019406336 bytes) -----8<-----8<-----8<-----8<----- So it should be possible to go to and from encryption this way. Of course it would have to be backed up by initrd/initramfs code, but that won't hold me back. Any comments are very much welcome, Benjamin -- #!/bin/sh #!/bin/bash #!/bin/tcsh #!/bin/csh #!/bin/kiss #!/bin/ksh #!/bin/pdksh #!/usr/bin/perl #!/usr/bin/python #!/bin/zsh #!/bin/ash Feel at home? Got some of them? Want to show some magic? http://shellscripts.org
Attachment:
pgpNcV4J8yxf6.pgp
Description: PGP signature