Hi list.
On ROCK Linux we are currently thinking about moving from our own system
calling dmsetup directly to cryptsetup-luks.
If I understand it correctly LUKS works like this:
Consider this your partition you want to encrypt:
|-----------------------------------------------|
Now LUKS puts itself into the first 1032 blocks of the partition:
|LUKS|------------------------------------------|
1032 equals to 0.5 Megabyte.
In there it stores up to eight actual encryption keys which can be unlocked
using a passphrase.
This means that it isn't possible to go to and back from an encrypted
filesystem.
I don't like this and as such I propose the following:
All filesystems we create should be passed through dmsetup which configures
them to not use those first 1032 blocks. This enables the user to use dd
to encrypt or decrypt a filesystem should the need arise to do so.
Is this thought correct or am I missing something? My test using a partition
showed this:
-----8<-----8<-----8<-----8<-----
root@crazyhorse:~# echo " 0 $(( 1992060 - 1032 )) linear /dev/discs/disc0/part2 1032 " | dmsetup create bar
root@crazyhorse:~# disktype /dev/mapper/bar
--- /dev/mapper/bar
Block device, size 972.2 MiB (1019406336 bytes)
Linux swap, version 2, subversion 1, 4 KiB pages, little-endian
Swap size 972.2 MiB (1019396096 bytes, 248876 pages of 4 KiB)
root@crazyhorse:~# cryptsetup luksFormat /dev/discs/disc0/part2
WARNING!
========
This will overwrite data on /dev/discs/disc0/part2 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
root@crazyhorse:~# echo " 0 $(( 1992060 - 1032 )) linear /dev/discs/disc0/part2 1032 " | dmsetup create bar
root@crazyhorse:~# disktype /dev/mapper/bar
--- /dev/mapper/bar
Block device, size 972.2 MiB (1019406336 bytes)
Linux swap, version 2, subversion 1, 4 KiB pages, little-endian
Swap size 972.2 MiB (1019396096 bytes, 248876 pages of 4 KiB)
root@crazyhorse:~# cryptsetup luksOpen /dev/discs/disc0/part2 foo
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
root@crazyhorse:~# disktype /dev/mapper/{foo,bar}
--- /dev/mapper/foo
Block device, size 972.2 MiB (1019406336 bytes)
--- /dev/mapper/bar
Block device, size 972.2 MiB (1019406336 bytes)
Linux swap, version 2, subversion 1, 4 KiB pages, little-endian
Swap size 972.2 MiB (1019396096 bytes, 248876 pages of 4 KiB)
root@crazyhorse:~# dd if=/dev/mapper/bar of=/dev/mapper/foo bs=1M
972+1 records in
972+1 records out
1019406336 bytes (1.0 GB) copied, 43.9781 seconds, 23.2 MB/s
root@crazyhorse:~# disktype /dev/mapper/{foo,bar}
--- /dev/mapper/foo
Block device, size 972.2 MiB (1019406336 bytes)
Linux swap, version 2, subversion 1, 4 KiB pages, little-endian
Swap size 972.2 MiB (1019396096 bytes, 248876 pages of 4 KiB)
--- /dev/mapper/bar
Block device, size 972.2 MiB (1019406336 bytes)
-----8<-----8<-----8<-----8<-----
So it should be possible to go to and from encryption this way. Of course
it would have to be backed up by initrd/initramfs code, but that won't
hold me back.
Any comments are very much welcome,
Benjamin
--
#!/bin/sh #!/bin/bash #!/bin/tcsh #!/bin/csh #!/bin/kiss #!/bin/ksh
#!/bin/pdksh #!/usr/bin/perl #!/usr/bin/python #!/bin/zsh #!/bin/ash
Feel at home? Got some of them? Want to show some magic?
http://shellscripts.org
Attachment:
pgpNcV4J8yxf6.pgp
Description: PGP signature
