Re: [dm-crypt] Encrypt all partitions with dm-crypt

[Arno Wagner <arno@wagner.name>]

On Thu, Aug 23, 2012 at 05:10:25PM +0200, Christophe wrote:
> On Thu, Aug 23, 2012 at 01:27:28PM +0200, Arno Wagner wrote:
> > > What do you mean by plain dm-crypt ? 
> > 
> > plain dm-crypt = cryptsetup not for LUKS, i.e. a headerless
> > set-up. Used this way in the man-page and the FAQ. I assume 
> > that is what he meant. 
> 
> > > If you mean aes-plain, then the mechanisms
> > 
> > That is something different. Plain dm-crypt defaults to
> > aes-cbc-essiv:sha256
> 
> Sorry, aes-plain was the default in previous versions if my memory is right...
> anyway, without LUKS headers is what I had in mind, aes-plain being one of the
> possible cipher strings.

According to the FAQ Section 8.1 you are righ. (I wrote that,
so I think it is correct ;-)

Ok.

> > > present in most distributions won't be able to "see" your encrypted volumes, and
> > > /etc/crypttab won't be of any use either.
> > > 
> > > However, as Arno sait you can do it with an initramfs image. Debian for
> > > instance has a pretty convenient mechanism to automatically create
> > > initramfs images for your different kernels, and you can use hooks to
> > > place your own scripts in it.  When you install cryptsetup, Debian updates
> > > all the initramfs images with the cryptsetup binary. 
> > 
> > Nice! Seems cryptsetup support in distros is definitely getting
> > better.
> 
> Debian proposes an encrypted LVM partition scheme with cryptsetup/LUKS since a
> few years now.
>  
> > > All you'll need to
> > > to after that is to add a custom boot parameter to your bootloader (say
> > > encrypted_root=/dev/sdX), place a script in the initramfs that will map
> > > the partition with cryptsetup (e.g.  cryptsetup -c aes-plain create root
> > > ${encrypted_root}) and update your /etc/fstab (/dev/mapper/root / ...).
> > 
> > So no full support yet? Pity. As some others here have pointed out,
> > there are Distros with full cryptsetup integration. Gentoo seems
> > to be one. On the other hand, it seems some problems Ubuntu has
> > with LUKS are still not solved, so YMMV.
> 
> Debian has full support for cryptsetup/LUKS, 

For encrypted root? News to me, but would be a good thing.

> but not for plain dm-crypt, not to
> my knowledge anyway. I think this makes sense as there is no way to
> automatically detect an encrypted partition with no header. 
> 
> The only advantage I can see in using encrypted partitions with no header
> is to "hide" the encrypted volume, however the partition, cipher and hash

The second one is better resilience, as there is no header 
single-point-of-failure. Whether that is worth total loss of
key management depends on the application.

> function have to be specified somewhere if one wants the distro to be able
> to do automatic configuration.  

Thet is not the issue. Reasonable defaults would do that. The
issue is that the partiton type cannot be detected anymore 
without the key.

> The bootloader will need it in its
> configuration, which doesn't make it any better than LUKS in terms of
> discreetness.

Huh? What is the bootloader going to do with that info? Last
I checked, you still need a running kernel and system (possibly
in the form of an initrd) to do anything with encrypted partitions,
no matter whether LUKS or plain. I may be behind times here, if so,
please explain.

> IMHO, successfully hiding an encrypted partition necessarily involves
> manual operations, which makes plain dm-crypt out of the scope of a
> general distro such as Debian.

I agree. But hiding is not even supported by cryptsetup. 
Headerless operation is something else.

Arno
-- 
Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell