From: Christophe <kereoz@kereoz.org>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Encrypt all partitions with dm-crypt
Date: Thu, 23 Aug 2012 17:10:25 +0200 [thread overview]
Message-ID: <20120823151025.GM14639@Latty> (raw)
In-Reply-To: <20120823112728.GA20834@tansi.org>
On Thu, Aug 23, 2012 at 01:27:28PM +0200, Arno Wagner wrote:
> > What do you mean by plain dm-crypt ?
>
> plain dm-crypt = cryptsetup not for LUKS, i.e. a headerless
> set-up. Used this way in the man-page and the FAQ. I assume
> that is what he meant.
> > If you mean aes-plain, then the mechanisms
>
> That is something different. Plain dm-crypt defaults to
> aes-cbc-essiv:sha256
Sorry, aes-plain was the default in previous versions if my memory is right...
anyway, without LUKS headers is what I had in mind, aes-plain being one of the
possible cipher strings.
> > present in most distributions won't be able to "see" your encrypted volumes, and
> > /etc/crypttab won't be of any use either.
> >
> > However, as Arno sait you can do it with an initramfs image. Debian for
> > instance has a pretty convenient mechanism to automatically create
> > initramfs images for your different kernels, and you can use hooks to
> > place your own scripts in it. When you install cryptsetup, Debian updates
> > all the initramfs images with the cryptsetup binary.
>
> Nice! Seems cryptsetup support in distros is definitely getting
> better.
Debian proposes an encrypted LVM partition scheme with cryptsetup/LUKS since a
few years now.
> > All you'll need to
> > to after that is to add a custom boot parameter to your bootloader (say
> > encrypted_root=/dev/sdX), place a script in the initramfs that will map
> > the partition with cryptsetup (e.g. cryptsetup -c aes-plain create root
> > ${encrypted_root}) and update your /etc/fstab (/dev/mapper/root / ...).
>
> So no full support yet? Pity. As some others here have pointed out,
> there are Distros with full cryptsetup integration. Gentoo seems
> to be one. On the other hand, it seems some problems Ubuntu has
> with LUKS are still not solved, so YMMV.
Debian has full support for cryptsetup/LUKS, but not for plain dm-crypt, not to
my knowledge anyway. I think this makes sense as there is no way to
automatically detect an encrypted partition with no header.
The only advantage I can see in using encrypted partitions with no header is to
"hide" the encrypted volume, however the partition, cipher and hash function
have to be specified somewhere if one wants the distro to be able to do
automatic configuration. The bootloader will need it in its configuration, which
doesn't make it any better than LUKS in terms of discreetness.
IMHO, successfully hiding an encrypted partition necessarily involves manual
operations, which makes plain dm-crypt out of the scope of a general distro such
as Debian.
--
Christophe
next prev parent reply other threads:[~2012-08-23 15:10 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-22 12:10 [dm-crypt] Encrypt all partitions with dm-crypt Stayvoid
2012-08-22 12:24 ` Arno Wagner
2012-08-22 15:40 ` Stayvoid
2012-08-22 15:52 ` Heinz Diehl
2012-08-22 15:54 ` Matthew Monaco
2012-08-22 15:57 ` Javier Juan Martínez Cabezón
2012-08-23 7:28 ` Arno Wagner
2012-08-23 9:00 ` Christophe
2012-08-23 11:27 ` Arno Wagner
2012-08-23 14:12 ` Heinz Diehl
2012-08-23 15:10 ` Christophe [this message]
2012-08-23 16:07 ` Arno Wagner
2012-08-23 18:12 ` Milan Broz
2012-08-23 19:34 ` Arno Wagner
2012-08-24 14:01 ` Milan Broz
2012-08-24 14:40 ` Heinz Diehl
2012-08-24 15:14 ` Arno Wagner
2012-09-05 4:21 ` Stayvoid
2012-09-05 13:01 ` Arno Wagner
2012-09-06 12:54 ` Stayvoid
2012-09-06 16:46 ` Arno Wagner
2012-09-06 17:53 ` Heinz Diehl
2012-09-06 19:58 ` Arno Wagner
2012-09-07 16:10 ` Stayvoid
2012-09-07 19:04 ` Arno Wagner
2012-09-08 2:50 ` Stayvoid
2012-09-08 7:01 ` Milan Broz
2012-09-09 16:21 ` Stayvoid
2012-09-15 0:52 ` Stayvoid
2012-09-15 1:09 ` Matthew Monaco
2012-09-15 1:10 ` Matthew Monaco
2012-09-20 7:13 ` Stayvoid
2012-09-20 9:18 ` Javier Juan Martínez Cabezón
2012-09-21 5:01 ` Stayvoid
2012-09-21 10:01 ` Arno Wagner
2012-09-21 18:14 ` Stayvoid
2012-09-22 22:36 ` Stayvoid
2012-09-25 3:12 ` Stayvoid
2012-09-25 6:31 ` Matthew Monaco
2012-09-25 7:13 ` Stayvoid
2012-09-25 13:58 ` Stayvoid
2012-09-25 19:06 ` Matthew Monaco
2012-09-25 23:54 ` Stayvoid
2012-09-26 2:12 ` Matthew Monaco
2012-09-26 8:23 ` Stayvoid
2012-09-26 9:24 ` Matthew Monaco
2012-09-26 10:49 ` Stayvoid
2012-09-26 10:51 ` Stayvoid
2012-09-26 11:13 ` Matthew Monaco
2012-09-26 23:34 ` Stayvoid
2012-09-15 6:13 ` Javier Juan Martínez Cabezón
2012-09-08 8:13 ` Heinz Diehl
2012-09-08 13:26 ` Arno Wagner
2012-09-08 14:37 ` Heinz Diehl
2012-09-08 16:05 ` Arno Wagner
2012-09-08 16:39 ` Heinz Diehl
2012-09-08 19:36 ` Arno Wagner
2012-09-08 14:58 ` Marc MERLIN
2012-09-19 4:15 ` Two Spirit
2012-09-19 4:52 ` Javier Juan Martínez Cabezón
2012-09-19 5:13 ` Arno Wagner
2012-08-24 14:47 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120823151025.GM14639@Latty \
--to=kereoz@kereoz.org \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.