Another idea: Cryptsetup should offer to backup the header on the same drive when changes to an existing header are requested. I assume that headers size isn't an issue. Thx, Ingo On 10/31/2011 01:30 AM, Aleksander Swirski wrote:
I'm pretty sure this warning is only displayed when someone decides to create new crypto on some partition or fill encrypted device with random data in the next step after setting the password. but just setting the password on an existing device makes data unusable without warning. when the partitioning is finished there is a list of partitions that will be wiped out, and also, during my installation crypto-deviced and /home inside LVM was not listed there, but already lost few clicks earlier. i understand that it wasn't taken into consideration that someone can attach existing encrypted device, but only that a new one will be created. this is inconsistent with how it goes with unencrypted partitions, where you can reattach them without formatting and keep your data. so i guess with encrypted partition this should also work that way. or maybe i miss the point? i will try to make the whole scenario clear, and then send my proposition, to debian-boot@xxxxxxxxxxxxxxxx <mailto:debian-boot@xxxxxxxxxxxxxxxx> On 30 October 2011 23:25, Jonas Meurer <jonas@xxxxxxxxxxxxxxx <mailto:jonas@xxxxxxxxxxxxxxx>> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Aleksander, Am 30.10.2011 19:56, schrieb Aleksander Swirski: > I will also try to push this info to the debian devs. I'm not sure > how to do that properly (hint appreciated). I know, that the route > of installation I took is not a common one, but a simple warning > would suffice to avoid this kind of trouble. After all my encrypted > LVM and specifically the /home partition within LVM wasn't listed > among those, which are to be erased at any point during the > installation. (I marked them with - K - keep the data) I guess that you selected to configure the device which contained the LVM volume group as new encrypted device. Then you where asked for the new passphrase twice, and a new LUKS header was written to the device, overwriting the old LUKS header. That way you shredded all the encrypted data on that device, regardless what it was. The partitions you marked as "keep the data" weren't overwritten, just the LUKS header of underlying device was overwritten. I agree, that a warning in the Debian Installer is a good idea, but to be honest, there's already a big fat warning: > _Description: Really erase the data on ${DEVICE}? The data on > ${DEVICE} will be overwritten with random data. It can no longer be > recovered after this step has completed. This is the last > opportunity to abort the erase. (from http://anonscm.debian.org/gitweb/?p=d-i/partman-crypto.git;a=blob;f=debian/partman-crypto.templates) If you like to propose changes to the (warnings in the) process of configuring encrypted volumes during installation of Debian, feel free to discuss this on debian-boot@xxxxxxxxxxxxxxxx <mailto:debian-boot@xxxxxxxxxxxxxxxx>. You might as well take a look at the following page: http://wiki.debian.org/DebianInstaller/PartmanCrypto Greetings, jonas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOrc7tAAoJEFJi5/9JEEn+bo4P/0vX3AxnpXzWO3NUvYW2wh6H k7v8Dhx6Rw5HXttHuF8JSypkvcHuLfWyGLq0J4qlsw4GvK/cPtwdCuSe//uJvqSB 4Z6qj55E/3/M+aEBMzT9oBeZ5DVGPp0+76VWFNijGzHYMoT4YYm0pZBsmfZ7U2RJ +7xFyGP0d7oXJIqoW8aUyufgdYnRNdcZdJtY27XHgKW1m9ytllIuK0h7hl410/L0 vy2t4IqSlO5Uko1/bOf3FETNkBRTUl4T2jWMP3dEpNMRobB1ZH5I5menXWSwzgR9 c2QWRkwQ8iUsAdakofnl9O1jhtw3Z9MKxHQbnxh32oNuS5Aaf5xxfiI7jXf3yY/L GUKyIOa5nGtNtwUt4l0RTJAKoyY2J2KtBJm+JL51tQ3q/iyZsfRLVmyczlkzKUhj vMKgSzhV8/IyQ/snqftAMqmRXYgaOE3qDCe8MR+EChIFwX2Zr+eRWdRzVFDjQ0kP Cyc6Yw3TrthD8GuWWxU93tE3YMVxgI76+lDk/LBLZjviMTEfkR5e+gmuoff+Xdta aBYek7loOjkqb+gJ6qeqAKuDLAZnw/BmHfgpYQpatdSeiV6jpGPkGMbYTwDHLlXR rE72FJe1emdcDWQ6TE8SP+6KW22HirBPD5q6DPqJ2Oxcxx+AotXeLvDpnhd9S5b2 fDNHacCUklPyCeH81nsH =PLsS -----END PGP SIGNATURE----- _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx <mailto:dm-crypt@xxxxxxxx> http://www.saout.de/mailman/listinfo/dm-crypt _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
