FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 06-10-2011, 05:15 PM
Christian Jaeger
 
Default How to install with encrypted root?

See my other reply, it seems pretty clear that there is a bug in the
debian installer (assuming that the installer is *meant* to support
installing a system with encrypted root and that the result boots).
Glad it worked for you; please tell if you can add information to pin
the problem down more.

Christian.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTikFWYF2OwTSP_HFEsQB2m9BhbO1kg@mail.gmail.com ">http://lists.debian.org/BANLkTikFWYF2OwTSP_HFEsQB2m9BhbO1kg@mail.gmail.com
 
Old 06-10-2011, 08:48 PM
"tv.debian@googlemail.com"
 
Default How to install with encrypted root?

>10/06/2011 17:54, Christian Jaeger wrote:
> Thanks for your reply. I got it to work now.
>
>> 2011/6/10 tv.debian@googlemail.com <tv.debian@googlemail.com>:
[...]
>
>> Maybe cp the /usr/share/initramfs-tools/hooks/cryptroot hook script to
>> /etc/initramfs-tools/hooks/, this shouldn't be necessary though.
>
> My system didn't have the /usr/share/initramfs-tools/hooks/cryptroot
> file; while trying to figure out why, I realized that the "cryptsetup"
> package wasn't installed! After installing it, update-initramfs now
> creates an initrd that *does* contain cryptsetup.
>
> I expected that the installer would install cryptsetup automatically
> (at least) if the user creates encrypted partitions using its
> partitioner. I would say this is a bug of the installer; anyone
> disagreeing?
>
[...]
>
> So I'm looking forward to report a bug against the installer (actually
> several, since it didn't install busybox either).

This is weird, when I last tried I didn't experience any problem and all
required packages were installed. Which install mode did you use, from
what media (if you have the download url that would be even better) ?


> BTW is there a way to make the boot process cache the pass phrase, so
> that when I'm using the same for several partitions it would only ask
> once?
No that I know of, and I wouldn't use luks if it was caching the
pass-phrase leaving it accessible for "reuse". I think that would defeat
the purpose. You can use decrypt_derived or random key for the swap
partition for instance, and use pam-mount for the others, it will save
you some typing at the cost of having the same password for account
login and luks decryption. Or store the key on a different media
plugged-in at boot time, or on the first decrypted partition (insecure).
It's all a matter of compromise between security and comfort/usability.



>
> Christian.
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4DF28329.7030406@googlemail.com">http://lists.debian.org/4DF28329.7030406@googlemail.com
 
Old 06-11-2011, 03:52 AM
Christian Jaeger
 
Default How to install with encrypted root?

> This is weird, when I last tried I didn't experience any problem and all
> required packages were installed. Which install mode did you use, from
> what media (if you have the download url that would be even better) ?

I used jigdo-lite to expand the .jigdo file found on the official page,
http://www.debian.org/CD/jigdo-cd/#which
-> CD i386
http://cdimage.debian.org/debian-cd/6.0.1a/i386/jigdo-cd/debian-6.0.1a-i386-CD-1.jigdo

(which has md5sum
c29fb09ac0db3c23a95cb236f5adde78 debian-6.0.1a-i386-CD-1.jigdo)

it yielded this sha256sum:
8ffbbe6cea9598fe1b964c7d7ff8e7a76871fbc69a439919ad e7fbb7b7397f00
debian-6.0.1a-i386-CD-1.iso

then I used unetbootin (either 471-2 (stable) or 549-1 (testing),
don't remember which) to write it to a USB flash stick, from which I
booted my Acer Aspire One D255E netbook. I used the default boot
entry, then the manual partitioner. (You can find more details about
how I ran the installer on the bug report I linked at the top of this
thread.)

> No that I know of, and I wouldn't use luks if it was caching the
> pass-phrase leaving it accessible for "reuse". I think that would defeat
> the purpose.

(Well, in an attempt to cut down on the number of passwords that I'm
having to deal with, I installed this machine with the luks
passphrases == root password.

My purpose is to prevent data exposure after theft of the netbook, and
I don't care about the risk of recovery from RAM sticks being frozen
with liquid nitrogene. Then, assuming that the cache is properly
written (only accessible by root), the only risk I see is that a local
hijacker that got root access for a short time or with a limited
bandwidth connection could just read the passphrase, and then after
stealing the laptop decrypt the whole disk at leisure, instead of
being limited by the amount of decrypted data he could manage to copy
(without discovery) without physical stealing. Fair enough, but I'm
currently more worried about my limited brain memory for storing
secure passphrases.)

> You can use decrypt_derived or random key for the swap
> partition for instance,

I'm doing that on two other machines, but IIRC this isn't compatible
with s2disk, which I might want to use on the netbook.

> Or store the key on a different media
> plugged-in at boot time

Yeah, I'm still sometimes thinking about such solutions, also for
normal login; but USB port connectors would be worn out rather quickly
I guess, and still less convenient than typing a password. Wondering
about bluetooth. I guess near field communication would more
appropriate. (I stopped using my fingerprint reader because it wasn't
working reliably enough. And I know it's not secure anyway.)

Christian.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTikZvzih_mDih_XyUUSdwxFFKkUHbw@mail.gmail.com ">http://lists.debian.org/BANLkTikZvzih_mDih_XyUUSdwxFFKkUHbw@mail.gmail.com
 
Old 06-11-2011, 08:11 AM
"tv.debian@googlemail.com"
 
Default How to install with encrypted root?

>11/06/2011 05:52, Christian Jaeger wrote:

[trim]
>> You can use decrypt_derived or random key for the swap
>> partition for instance,
>
> I'm doing that on two other machines, but IIRC this isn't compatible
> with s2disk, which I might want to use on the netbook.

decrypt_derived is compatible with suspend to disk. Use the right script
(/lib/cryptsetup/scripts/decrypt_derived) and fill in
/etc/initramfs-tools/conf.d/resume. Update initramfs.
But in my experience it takes longer to wake up from disk than to
reboot, and you have to type the pass-phrase once anyway. If you
consider that suspend is barely working in Linux, I don't know if it's
worth it.

[trim]
>> Or store the key on a different media
>> plugged-in at boot time
>
> Yeah, I'm still sometimes thinking about such solutions, also for
> normal login; but USB port connectors would be worn out rather quickly
> I guess, and still less convenient than typing a password.
[trim]
You could also store key-files on the first decrypted partition (/root),
if you don't care about the luks setup being vulnerable while running
that would reduce the password typing.

> Christian.
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4DF32328.9010008@googlemail.com">http://lists.debian.org/4DF32328.9010008@googlemail.com
 
Old 06-24-2011, 08:00 PM
Andrej Kacian
 
Default How to install with encrypted root?

On Fri, 10 Jun 2011 13:15:10 -0400
Christian Jaeger <chrjae@gmail.com> wrote:

>See my other reply, it seems pretty clear that there is a bug in the
>debian installer (assuming that the installer is *meant* to support
>installing a system with encrypted root and that the result boots).
>Glad it worked for you; please tell if you can add information to pin
>the problem down more.
>
>Christian.
>
>

I managed to install Squeeze (6.0, few days after it got released) on raid1 and
LVM2, with encryption (except for /boot), but I remember that I spent a lot of
time getting it right in the installer interface (and cursing a lot about how
can an installer in 2011 be so obtuse ).

I think I may even have restarted the installation once or twice, because I
configured something in the disk setup incorrectly, and the interface did not
allow me to revert the change.

So, yes, it is possible, but not easy.

--
Andrej Kacian


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110624220045.4334d893@penny">http://lists.debian.org/20110624220045.4334d893@penny
 
Old 06-24-2011, 10:01 PM
Christian Jaeger
 
Default How to install with encrypted root?

> So, yes, it is possible, but not easy.

That's a different issue.

(I can confirm that the first time I used the new installer with
LVM+luks, me too was a bit puzzled at first, but that's unrelated to
the bug that I've run into here, which AFAICT is not something that
can be avoided by using the installer correctly. Note that I did *not*
use LVM, which may be the reason that nobody else so far seems to be
able to confirm the bug.)

Christian.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTi=tdd1GAvKB5dtF-MPxf3vqEKqrxg@mail.gmail.com">http://lists.debian.org/BANLkTi=tdd1GAvKB5dtF-MPxf3vqEKqrxg@mail.gmail.com
 

Thread Tools




All times are GMT. The time now is 03:48 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org