Re: LUKS + dm-crypt Debian/Ubuntu expanding encrypted root LV onto 2nd disk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


This is still work in progress for me but I give my interim response below. Thanks for all the help.

On Wed, 29 May 2019 at 14:44, Guilhem Moulin <guilhem@xxxxxxxxxxx> wrote:
On Wed, 29 May 2019 at 12:26:12 +0100, Dominic Raferd wrote:
> Thanks but I am using the standard Debian recipe (via Ubuntu alternate
> installer which uses anaconda) for drive encryption (LUKS + dm-crypt, with
> LVM on top) and this does not give any chance (AFAIK) to specify a special
> parameter for cryptsetup.

That flag is to be passed to `open` (or `refresh`) at initramfs stage,
not `luksFormat` at d-i stage.  I suppose it doesn't change much though,
as --disable-keyring, and --token-* flags can't be specified to Debian's
crypttab(5) at the moment.
You raise my hopes and then dash them ;-) 

> The idea of reusing key from first crypt device when creating second crypt
> device is that once the first crypt device is decrypted in initramfs (by
> user entering password) then the second one can be decrypted using the key
> from the first.

You have a backup key slot on the device unlocked with decrypt_derived,
right?  Otherwise you'll loose both devices if the source is lost or
damaged.

I am only testing now but what you say is wise. 
 
As written in /usr/share/doc/cryptsetup-initramfs/README.initramfs.gz
decrypt_derived doesn't work with LUKS2 on Linux ≥4.10, because the
volume key of the source device is offloaded to the kernel keyring thus
not readable by userspace.  Since --disable-keyring can't be
persistently written into the LUKS header as of 2.1.0, nor can it be
toggled from crypttab(5), I guess that if you want to stick to
decrypt_derived your options are to use `luksFormat --type luks1` (or `convert --type luks1`);

unfortunately this doesn't work. I try it (booting from SystemRescueCD):

# cryptsetup convert /dev/sda5 --type luks1

WARNING!
========
This operation will convert /dev/sda5 to LUKS1 format.

Are you sure? (Type uppercase yes): YES
Cannot convert to LUKS1 format - keyslot 0 is not LUKS1 compatible.
...
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux