[dm-crypt] contribution offer and questions - LUKS system encryption with detached header

[dm-crypt] contribution offer and questions - LUKS system encryption with detached header

[Jim F]

I modified scripts to allow system encryption with a detached LUKS 
header. Everything but /boot is encrypted and the header can be either 
a partition or a file (say) in the initrd in /boot. And /boot can be on 
a separate device, e.g. a USB thumb drive, so the system drive can have 
only encrypted data with no indication that it's LUKS encrypted.

I'm writing to see if the changes would be of interest to anyone and 
how to include them in a package. I was using Linux Mint 12 but they 
should work (at least) with any of the Debian derivatives.

LM12 came with cryptsetup 1.1.3 so I got the latest source which at 
that time was 1.4.1. Since I didn't see any of the initramfs-tools 
scripts in the cryptsetup source, I assumed they were distributed in a 
different package. I've subsequently found that while there is a 
initramfs-tools package, the scripts related to cryptsetup are in the 
cryptsetup package. This observation applies at least to Debian, Ubuntu 
and Linux Mint.

Because of the difference in the source and packaging, I have the 
modified 1.1.3 scripts working with the 1.4.1 cryptsetup I built. After 
taking a quick look at 1.4.3, I've concluded it won't be too much work 
to get the changes in sync. However it would be best to do this only 
once. I was thinking about doing it with 1.4.3 which comes with Ubuntu 
12.10 but I see that 1.5.1 has just been released.

Given all this, can someone tell me:

  - how the scripts get packaged with cryptsetup since they don't 
appear to be in its source tree?

  - where the scripts are?

  - how to get the changes included with the distributions, assuming 
there's interest?

Thanks.

Jim

Re: [dm-crypt] contribution offer and questions - LUKS system encryption with detached header

[Arno Wagner]

On Fri, Oct 19, 2012 at 12:10:25AM -0400, Jim F wrote:
> 
> I modified scripts to allow system encryption with a detached LUKS
> header. Everything but /boot is encrypted and the header can be
> either a partition or a file (say) in the initrd in /boot. And /boot
> can be on a separate device, e.g. a USB thumb drive, so the system
> drive can have only encrypted data with no indication that it's LUKS
> encrypted.
> 
> I'm writing to see if the changes would be of interest to anyone and
> how to include them in a package. I was using Linux Mint 12 but they
> should work (at least) with any of the Debian derivatives.
> 
> LM12 came with cryptsetup 1.1.3 so I got the latest source which at
> that time was 1.4.1. Since I didn't see any of the initramfs-tools
> scripts in the cryptsetup source, I assumed they were distributed in
> a different package. I've subsequently found that while there is a
> initramfs-tools package, the scripts related to cryptsetup are in
> the cryptsetup package. This observation applies at least to Debian,
> Ubuntu and Linux Mint.

The initramfs is distribution-specific. There are no standards for 
it, or at least no binding ones. The only thing the kernel knows 
and needs is a specific filesystem  and the presence of init.
Anythinge else, including what init does is up to the distro.

The reason there are no such scripts in the cryptsetup package
is that it would not make sense to put them in there, as they
would be completely different for different distributions.
 
> Because of the difference in the source and packaging, I have the
> modified 1.1.3 scripts working with the 1.4.1 cryptsetup I built.
> After taking a quick look at 1.4.3, I've concluded it won't be too
> much work to get the changes in sync. However it would be best to do
> this only once. I was thinking about doing it with 1.4.3 which comes
> with Ubuntu 12.10 but I see that 1.5.1 has just been released.
> 
> Given all this, can someone tell me:
> 
>  - how the scripts get packaged with cryptsetup since they don't
> appear to be in its source tree?

They do not get packaged with cryptsetup. At least not 
distribution-specific ones. And with good reason.
 
>  - where the scripts are?

In the distribution ;-)

>  - how to get the changes included with the distributions, assuming
> there's interest?

Submitted to the distributions directly.

This is a frequent misconception you fell prey to here: Booting
is the responsibility of the distribution, all processes in it
are out of scope for cryptsetup. Cryptsetup just handles setting
up plain dm-crypt and LUKS partitions without any regard to
what process requests it or at what time it is requested, as long
as the kernel is running.

Here is what I recommend:
 
- Submit this to Mint for Mint.
- For Debian-like distros, submit it to Debian, it should
  eventually propagate down.

Arno
-- 
Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 

Re: [dm-crypt] contribution offer and questions - LUKS system encryption with detached header

[Jim F]

Thanks for your reply, Arno.

> The reason there are no such scripts in the cryptsetup package
> is that it would not make sense to put them in there, as they
> would be completely different for different distributions.

Perhaps we're using the word 'package' differently. If one executes 
"dpkg -L cryptsetup" on Debian, Ubuntu or Mint, one does see the 
associated init crypto scripts. I was saying I don't see them in the 
source code at http://code.google.com/p/cryptsetup

I understand now that the scripts can be specific to the distribution. 
But I've also observed that they're identical or virtually so for 
Debian, Ubuntu & Mint for each release of cryptsetup. For example, the 
cryptroot scripts are exactly the same for deb-test-121015 & kubuntu 
12.10. FWIW, they're both at cryptsetup 1.4.3.

One thing I still don't understand is where the scripts are for (say) 
cryptsetup 1.5.1. I haven't seen a distribution for that version. Does 
that mean they don't exist yet? I've seen that the scripts may need to 
be modified as functionality is added to cryptsetup, e.g. 
--allow-discards. So while my use of cryptsetup 1.4.1 with my modified 
1.1.3 scripts worked for my purpose, that system I created doesn't 
support discards/TRIM requests even though the option is in cryptsetup. 
Accordingly, the scripts can also be specific to the cryptsetup 
version. That might suggest that someone is enhancing the scripts as 
features are added to cryptsetup.

Regarding your recommendations, I'll make the changes to the 1.4.3 
scripts and submit them to Debian. Can someone tell me how to do that? 
I looked at debian.org and see maybe hundreds of mailing lists but 
nothing obvious about the submission process if it's not a bug.

Regarding Mint, I thought it is based on Debian via Ubuntu. It looks 
like I would use the "idea module" of the Mint web site. But is there 
an advantage to submitting to Mint, too, since as you say, it should 
eventually propagate down?

Jim

Re: [dm-crypt] contribution offer and questions - LUKS system encryption with detached header

[Yves-Alexis Perez]

On mar., 2012-10-23 at 05:44 -0400, Jim F wrote:
> Thanks for your reply, Arno.
> 
> > The reason there are no such scripts in the cryptsetup package
> > is that it would not make sense to put them in there, as they
> > would be completely different for different distributions.
> 
> Perhaps we're using the word 'package' differently. If one executes 
> "dpkg -L cryptsetup" on Debian, Ubuntu or Mint, one does see the 
> associated init crypto scripts. I was saying I don't see them in the 
> source code at http://code.google.com/p/cryptsetup

They seem to be maintained in svn at
http://anonscm.debian.org/viewvc/pkg-cryptsetup/cryptsetup/trunk/debian/
> 
> I understand now that the scripts can be specific to the distribution. 
> But I've also observed that they're identical or virtually so for 
> Debian, Ubuntu & Mint for each release of cryptsetup. For example, the 
> cryptroot scripts are exactly the same for deb-test-121015 & kubuntu 
> 12.10. FWIW, they're both at cryptsetup 1.4.3.

Indeed, they flow from Debian to derivatives.
> 
> One thing I still don't understand is where the scripts are for (say) 
> cryptsetup 1.5.1. I haven't seen a distribution for that version. Does 
> that mean they don't exist yet? 

Yes.

> I've seen that the scripts may need to 
> be modified as functionality is added to cryptsetup, e.g. 
> --allow-discards. So while my use of cryptsetup 1.4.1 with my modified 
> 1.1.3 scripts worked for my purpose, that system I created doesn't 
> support discards/TRIM requests even though the option is in cryptsetup. 
> Accordingly, the scripts can also be specific to the cryptsetup 
> version. That might suggest that someone is enhancing the scripts as 
> features are added to cryptsetup.

Yup, although isn't discard supported in /etc/crypttab ?
> 
> Regarding your recommendations, I'll make the changes to the 1.4.3 
> scripts and submit them to Debian. Can someone tell me how to do that? 
> I looked at debian.org and see maybe hundreds of mailing lists but 
> nothing obvious about the submission process if it's not a bug.

Well, that's considered a bug anyway. Just use reportbug cryptsetup and
set the severity to wishlist.
> 
> Regarding Mint, I thought it is based on Debian via Ubuntu. It looks 
> like I would use the "idea module" of the Mint web site. But is there 
> an advantage to submitting to Mint, too, since as you say, it should 
> eventually propagate down?

My advice would be to fix it in Debian first and let it flow down to
derivatives.

Regards,
-- 
Yves-Alexis

Re: [dm-crypt] contribution offer and questions - LUKS system encryption with detached header

[Arno Wagner]

On Tue, Oct 23, 2012 at 05:44:42AM -0400, Jim F wrote:
> 
> Thanks for your reply, Arno.

No problem.
 
> >The reason there are no such scripts in the cryptsetup package
> >is that it would not make sense to put them in there, as they
> >would be completely different for different distributions.
> 
> Perhaps we're using the word 'package' differently. If one executes
> "dpkg -L cryptsetup" on Debian, Ubuntu or Mint, one does see the
> associated init crypto scripts. I was saying I don't see them in the

Yes, but that would be the _Debian_ cryptsetup package which
is derived by the Debian cryptsetup package maintainer from 
the proper cryptsetup package... 

> source code at http://code.google.com/p/cryptsetup

...which is maintained here.

> I understand now that the scripts can be specific to the
> distribution. But I've also observed that they're identical or
> virtually so for Debian, Ubuntu & Mint for each release of
> cryptsetup. For example, the cryptroot scripts are exactly the same
> for deb-test-121015 & kubuntu 12.10. FWIW, they're both at
> cryptsetup 1.4.3.

That is actually a good idea, but they are created by
the Debian project cryptsetup maintainer, not here.

> One thing I still don't understand is where the scripts are for
> (say) cryptsetup 1.5.1. I haven't seen a distribution for that
> version. Does that mean they don't exist yet? I've seen that the

Yes.

> scripts may need to be modified as functionality is added to
> cryptsetup, e.g. --allow-discards. So while my use of cryptsetup
> 1.4.1 with my modified 1.1.3 scripts worked for my purpose, that
> system I created doesn't support discards/TRIM requests even though
> the option is in cryptsetup. Accordingly, the scripts can also be
> specific to the cryptsetup version. That might suggest that someone
> is enhancing the scripts as features are added to cryptsetup.
> 
> Regarding your recommendations, I'll make the changes to the 1.4.3
> scripts and submit them to Debian. Can someone tell me how to do
> that? 

On the Debian project website, search for the cryptsetup package 
in the package search. The  Debian maintainer and development team 
addresses for cryptsetup should be there. Just contact them.

> I looked at debian.org and see maybe hundreds of mailing lists
> but nothing obvious about the submission process if it's not a bug.
> 
> Regarding Mint, I thought it is based on Debian via Ubuntu. It looks
> like I would use the "idea module" of the Mint web site. But is
> there an advantage to submitting to Mint, too, since as you say, it
> should eventually propagate down?

I don't think so.

Arno
-- 
Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell