On Thu, Aug 23, 2012 at 05:10:25PM +0200, Christophe wrote:
> On Thu, Aug 23, 2012 at 01:27:28PM +0200, Arno Wagner wrote:
> > > What do you mean by plain dm-crypt ?
> >
> > plain dm-crypt = cryptsetup not for LUKS, i.e. a headerless
> > set-up. Used this way in the man-page and the FAQ. I assume
> > that is what he meant.
>
> > > If you mean aes-plain, then the mechanisms
> >
> > That is something different. Plain dm-crypt defaults to
> > aes-cbc-essiv:sha256
>
> Sorry, aes-plain was the default in previous versions if my memory is right...
> anyway, without LUKS headers is what I had in mind, aes-plain being one of the
> possible cipher strings.
According to the FAQ Section 8.1 you are righ. (I wrote that,
so I think it is correct ;-)
Ok.
> > > present in most distributions won't be able to "see" your encrypted volumes, and
> > > /etc/crypttab won't be of any use either.
> > >
> > > However, as Arno sait you can do it with an initramfs image. Debian for
> > > instance has a pretty convenient mechanism to automatically create
> > > initramfs images for your different kernels, and you can use hooks to
> > > place your own scripts in it. When you install cryptsetup, Debian updates
> > > all the initramfs images with the cryptsetup binary.
> >
> > Nice! Seems cryptsetup support in distros is definitely getting
> > better.
>
> Debian proposes an encrypted LVM partition scheme with cryptsetup/LUKS since a
> few years now.
>
> > > All you'll need to
> > > to after that is to add a custom boot parameter to your bootloader (say
> > > encrypted_root=/dev/sdX), place a script in the initramfs that will map
> > > the partition with cryptsetup (e.g. cryptsetup -c aes-plain create root
> > > ${encrypted_root}) and update your /etc/fstab (/dev/mapper/root / ...).
> >
> > So no full support yet? Pity. As some others here have pointed out,
> > there are Distros with full cryptsetup integration. Gentoo seems
> > to be one. On the other hand, it seems some problems Ubuntu has
> > with LUKS are still not solved, so YMMV.
>
> Debian has full support for cryptsetup/LUKS,
For encrypted root? News to me, but would be a good thing.
> but not for plain dm-crypt, not to
> my knowledge anyway. I think this makes sense as there is no way to
> automatically detect an encrypted partition with no header.
>
> The only advantage I can see in using encrypted partitions with no header
> is to "hide" the encrypted volume, however the partition, cipher and hash
The second one is better resilience, as there is no header
single-point-of-failure. Whether that is worth total loss of
key management depends on the application.
> function have to be specified somewhere if one wants the distro to be able
> to do automatic configuration.
Thet is not the issue. Reasonable defaults would do that. The
issue is that the partiton type cannot be detected anymore
without the key.
> The bootloader will need it in its
> configuration, which doesn't make it any better than LUKS in terms of
> discreetness.
Huh? What is the bootloader going to do with that info? Last
I checked, you still need a running kernel and system (possibly
in the form of an initrd) to do anything with encrypted partitions,
no matter whether LUKS or plain. I may be behind times here, if so,
please explain.
> IMHO, successfully hiding an encrypted partition necessarily involves
> manual operations, which makes plain dm-crypt out of the scope of a
> general distro such as Debian.
I agree. But hiding is not even supported by cryptsetup.
Headerless operation is something else.
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
