|
Hi, Recently I setup my Debian wheezy working laptop to have /home partition encrypted using cryptsetup and passdev script to load the key from a SD card inserted to my laptop's SD slot. In additional I have setup my swap partition encrypted, because I red this is a highly recommended for increased security. So I have also root /, /tmp, /usr and /var partitions that I decided to left unencrypted. In order to have hibernate functionality I am trying to achieve automatic decryption of swap partition using decrypt_derived script. This means I want to have /home decrypted first by passdev (this I configured and working fine) and then swap decrypted using decrypt_derived from /home (this is not working in initrd for some reason) Here is the configuration taken from initrd: target=sda9_crypt,source=UUID=d8f706c5-5599-4b86-b8d4-abe55510c1c3,key=/dev/mmcblk0p1:/keys/sda9.luks.key,keyscript=/lib/cryptsetup/scripts/passdev target=sda7_crypt,source=UUID=cbfb7208-8a2a-498a-87bd-ba7370a26731,key=sda9_crypt,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,keyscript=/lib/cryptsetup/scripts/decrypt_derived I enabled debug on initramfs from grub bootloader and reviewed the file /run/initramfs/initramfs.debug after boot process completed: ... cut ... Begin: Running /scripts/local-top ... + run_scripts /scripts/local-top + initdir=/scripts/local-top + [ ! -d /scripts/local-top ] + [ -f /scripts/local-top/ORDER ] + . /scripts/local-top/ORDER + /scripts/local-top/cryptopensc + [ -e /conf/param.conf ] + /scripts/local-top/cryptroot cryptsetup: sda9_crypt set up successfully <- /home partition decrypted successfully No key available with this passphrase. <- I assume this is related to swap sda7_crypt cryptsetup: cryptsetup failed, bad password or options? <- why? No key available with this passphrase. cryptsetup: cryptsetup failed, bad password or options? No key available with this passphrase. cryptsetup: cryptsetup failed, bad password or options? + [ -e /conf/param.conf ] ... cut ... It seems like what happening later when initrd is completed and /sbin/init is executed is that swap partition is mounted successfully after all, but since this is not happening inside initrd the hibernate feature is not working. This is how it looks like after boot finished: # mount udev on /dev type devtmpfs (rw,relatime,size=2017156k,nr_inodes=213275,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=404528k,mode=755) /dev/disk/by-uuid/c4b2d6d6-048d-43e4-9309-0a73aa7fe26c on / type ext4 (rw,relatime,errors=remount-ro,user_xattr,barrier=1,stripe=4,data=""> tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k) tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,size=809056k) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,relatime,size=809056k) /dev/mapper/sda9_crypt on /home type ext4 (rw,relatime,user_xattr,barrier=1,data=""> /dev/sda8 on /tmp type ext4 (rw,relatime,user_xattr,barrier=1,stripe=4,data=""> /dev/sda5 on /usr type ext4 (rw,relatime,user_xattr,barrier=1,data=""> /dev/sda6 on /var type ext4 (rw,relatime,user_xattr,barrier=1,data=""> rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime) binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime) # swapon -s Filename Type Size Used Priority /dev/mapper/sda7_crypt partition 8182780 16 -1 Can anybody help either with suggestion why this isn't working or any alternative approach? Is it insecure to use the different keys for both /home and swap and to use passdev for both for example? Or may be left swap unencrypted after all? (what exactly is compromised by this way?) Thanks in advance! Cheers, Martin |
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
