FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 09-06-2008, 09:53 PM
markus reichelt
 
Default encrypted partition question

>On Thu, Sep 04, 2008 at 08:03:48PM +0200, Maciej Korze? wrote:
>> Alexander Golovin wrote:
>>> [...]
>>> 2. Created the cryptographic device mapper: cryptsetup -y
>>> create crypt /dev/hda6 (entered passphrase twice) [...]
>>
>> cryptoloop is not the best choice:
>> http://mareichelt.de/pub/texts.cryptoloop.php.
>> :-)

First of all, that's not cryptoloop Alexander is using. It's dm-crypt
and that's gotten A LOT better since kernels prior to 2.6.10.


>it seems that was true for pre 2.6.10. not saying dm-crypt is
>better than loop-aes, not sure what the status is now

It's mentioned in the text linked.

"By now" dm-crypt is mature enough to handle one's data safely,
regarding cryptography. From what I read on the dm-crypt mailinglist
every now and then, I'd still recommend loop-AES over dm-crypt for
stability and reliability alone. YMMW, of course.

Again, the text linked was/is not meant to diss certain crypto
implementations but warn about potentially significant flaws of
current crypto implementations.


--
left blank, right bald
 
Old 09-07-2008, 12:20 AM
linuksos
 
Default encrypted partition question

Hi Alexander,

you may want to look here for simple step by tep guide on how to
encrypt partitions with luks encryption.

http://www.linuxconfig.org/Partition_Encryption

On Sun, Sep 7, 2008 at 7:53 AM, markus reichelt <ml@mareichelt.de> wrote:
>>On Thu, Sep 04, 2008 at 08:03:48PM +0200, Maciej Korze? wrote:
>>> Alexander Golovin wrote:
>>>> [...]
>>>> 2. Created the cryptographic device mapper: cryptsetup -y
>>>> create crypt /dev/hda6 (entered passphrase twice) [...]
>>>
>>> cryptoloop is not the best choice:
>>> http://mareichelt.de/pub/texts.cryptoloop.php.
>>> :-)
>
> First of all, that's not cryptoloop Alexander is using. It's dm-crypt
> and that's gotten A LOT better since kernels prior to 2.6.10.
>
>
>>it seems that was true for pre 2.6.10. not saying dm-crypt is
>>better than loop-aes, not sure what the status is now
>
> It's mentioned in the text linked.
>
> "By now" dm-crypt is mature enough to handle one's data safely,
> regarding cryptography. From what I read on the dm-crypt mailinglist
> every now and then, I'd still recommend loop-AES over dm-crypt for
> stability and reliability alone. YMMW, of course.
>
> Again, the text linked was/is not meant to diss certain crypto
> implementations but warn about potentially significant flaws of
> current crypto implementations.
>
>
> --
> left blank, right bald



--
lubo
http://www.linuxconfig.org/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 09-21-2008, 04:32 AM
DanMitton
 
Default encrypted partition question

If I don't want to use "none" and be prompted for the passphrase, how can I
do it? I have the passphrase on a USB thumb drive, but how do I specify the
key file name? /dev/sdc1/somedirectory/somefile ??



Cassiano Bertol Leal wrote:
>
> On Thu, Sep 4, 2008 at 5:23 PM, Alexander Golovin
> <alex.golovin@mail.ru>wrote:
>
>>
>> Hi Cassiano!
>
>
> Hi!
>
>
>> You've written:
>> "a far as I know the mapping should be recreated each time you reboot
>> using /sbin/cryptsetup. We are using luks extension and at each reboot
>> we need to issue cryptsetup luksOpen </dev/name> <mappername>.
>>
>
>
> The text above was actually from Andrea Bicciolo, to which I replied:
>
>
>> /etc/crypttab should make the use of this command unecessary. The
>> passphrase will then be asked at boot time."
>>
>
> Can you describe how to we need do that?
>
>
> To me it seems that what you've described in your first e-mail is pretty
> much ok.
>
> The problem you're facing is that the encrypted volume is not being
> de-crypted and this is the reason why the device (the actual partition
> inside the encrypted vol) is not being mapped into /dev/mapper.
>
> In step 3 (from your original e-mail) you are inserting only two fields
> into
> /etc/crypttab, but this file mandates four fields: target, source device,
> key file and options.
>
> - Target is the device that will be created in /dev/mapper (in your
> example,
> "crypt" without the quotes);
> - Source device is the actual device or partition (/dev/hda6) that's
> encrypted
> - Key file is where the system will read the key to de-crypt the volume.
> If
> set to "none", you will be asked for a passphrase, which I assume is your
> case
> - Options can be many things. For LUKS, just put "luks". For more options,
> refer to "man /etc/crypttab"
>
> My guess is that if you correct your step 3 to include all four fields in
> /etc/crypttab you will be automatically asked for the passphrase next time
> you boot the machine, so edit the file and substitute:
>
> crypt /dev/hda6
>
> for
>
> crypt /dev/hda6 none luks
>
> Save the file and reboot. If it does not work, post back your experience.
>
> My experience with manually encrypted partitions is somewhat limited, but
> overall it should work as I described.
>
> Cheers,
> Cassiano Leal
>
>

--
View this message in context: http://www.nabble.com/encrypted-partition-question-tp19316048p19591597.html
Sent from the Debian User mailing list archive at Nabble.com.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 09-22-2008, 11:22 PM
Rick Thomas
 
Default encrypted partition question

Since top-posting is discouraged on this list, my comments are at the
bottom of this email...



On Sep 21, 2008, at 12:32 AM, DanMitton wrote:





If I don't want to use "none" and be prompted for the passphrase,
how can I
do it? I have the passphrase on a USB thumb drive, but how do I
specify the

key file name? /dev/sdc1/somedirectory/somefile ??



Cassiano Bertol Leal wrote:


On Thu, Sep 4, 2008 at 5:23 PM, Alexander Golovin
<alex.golovin@mail.ru>wrote:



Hi Cassiano!



Hi!



You've written:
"a far as I know the mapping should be recreated each time you
reboot
using /sbin/cryptsetup. We are using luks extension and at each
reboot

we need to issue cryptsetup luksOpen </dev/name> <mappername>.




The text above was actually from Andrea Bicciolo, to which I replied:



/etc/crypttab should make the use of this command unecessary. The
passphrase will then be asked at boot time."



Can you describe how to we need do that?


To me it seems that what you've described in your first e-mail is
pretty

much ok.

The problem you're facing is that the encrypted volume is not being
de-crypted and this is the reason why the device (the actual
partition

inside the encrypted vol) is not being mapped into /dev/mapper.

In step 3 (from your original e-mail) you are inserting only two
fields

into
/etc/crypttab, but this file mandates four fields: target, source
device,

key file and options.

- Target is the device that will be created in /dev/mapper (in your
example,
"crypt" without the quotes);
- Source device is the actual device or partition (/dev/hda6) that's
encrypted
- Key file is where the system will read the key to de-crypt the
volume.

If
set to "none", you will be asked for a passphrase, which I assume
is your

case
- Options can be many things. For LUKS, just put "luks". For more
options,

refer to "man /etc/crypttab"

My guess is that if you correct your step 3 to include all four
fields in
/etc/crypttab you will be automatically asked for the passphrase
next time

you boot the machine, so edit the file and substitute:

crypt /dev/hda6

for

crypt /dev/hda6 none luks

Save the file and reboot. If it does not work, post back your
experience.


My experience with manually encrypted partitions is somewhat
limited, but

overall it should work as I described.

Cheers,
Cassiano Leal




--
View this message in context: http://www.nabble.com/encrypted-
partition-question-tp19316048p19591597.html

Sent from the Debian User mailing list archive at Nabble.com.




I have the same question.

A clue can be found in /usr/share/doc/cryptsetup/README.initramfs.gz,
but things aren't always in the places mentioned in that document,
so you have to go searching for them. I can do that, but my question
is: Once I've found cryptsetup (or whatever it's actually called)
and made the indicated changes to it, how do those changes get
propagated into the initramfs.


Thanks!

Rick


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 09-23-2008, 12:04 PM
Chris Bannister
 
Default encrypted partition question

On Mon, Sep 22, 2008 at 07:22:44PM -0400, Rick Thomas wrote:
> Since top-posting is discouraged on this list, my comments are at the
> bottom of this email...

Right, but just scrolling to the bottom and typing your message is just
as bad IMO

[snip heaps of unnecessay text]

> I have the same question.
>
> A clue can be found in /usr/share/doc/cryptsetup/README.initramfs.gz,
> but things aren't always in the places mentioned in that document,
> so you have to go searching for them. I can do that, but my question

But this is your question ...

> is: Once I've found cryptsetup (or whatever it's actually called)
> and made the indicated changes to it, how do those changes get
> propagated into the initramfs.

dpkg-reconfigure <kernel-image>?

--
Chris.
======
I contend that we are both atheists. I just believe in one fewer god
than you do. When you understand why you dismiss all the other
possible gods, you will understand why I dismiss yours.
-- Sir Stephen Henry Roberts


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 09:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org