Re: [dm-crypt] Cryptsetup FAQ montly pointer 8/13

Re: [dm-crypt] Cryptsetup FAQ montly pointer 8/13

[Dragan Milivojević]

> Another option for reliably identifying the swap partition is to use
> /dev/disk/by-id/<identifier> to identify the drive by model and serial
> number.  For example, my own swap partition is
>
>     /dev/disk/by-id/scsi-SATA_ST95005620AS_5YX1NEGE-part5
>
> That should be safe unless I re-purpose that drive and forget to update
> /etc/crypttab.

I would suggest using UUID. It works in all cases (partition, raid,
lvm member etc).
My crypttab (encrypted swap/home):

luks-4dc17e23-e895-4e4b-8061-114fb33c310b
UUID=4dc17e23-e895-4e4b-8061-114fb33c310b none
luks-46969c48-ab1f-4bd7-bc2a-ae7c1bc86b26
UUID=46969c48-ab1f-4bd7-bc2a-ae7c1bc86b26 none

This was generated by fedora install.

Re: [dm-crypt] Cryptsetup FAQ montly pointer 8/13

[Milan Broz]

On 08/03/2013 04:10 PM, Dragan Milivojević wrote:
>> Another option for reliably identifying the swap partition is to use
>> /dev/disk/by-id/<identifier> to identify the drive by model and serial
>> number.  For example, my own swap partition is
>>
>>     /dev/disk/by-id/scsi-SATA_ST95005620AS_5YX1NEGE-part5
>>
>> That should be safe unless I re-purpose that drive and forget to update
>> /etc/crypttab.
> 
> I would suggest using UUID. It works in all cases (partition, raid,
> lvm member etc).
> My crypttab (encrypted swap/home):
> 
> luks-4dc17e23-e895-4e4b-8061-114fb33c310b
> UUID=4dc17e23-e895-4e4b-8061-114fb33c310b none
> luks-46969c48-ab1f-4bd7-bc2a-ae7c1bc86b26
> UUID=46969c48-ab1f-4bd7-bc2a-ae7c1bc86b26 none
> 
> This was generated by fedora install.

Sure, this is the best way if you use LUKS and Fedora installer
is using LUKS even for swap.

For plain crypt (or Truecrypt) you have no UUID, so you cannot use it.
(You can use uuid/wwid of underlying device as mentioned above
but this is not be present always.)

Milan

Re: [dm-crypt] Cryptsetup FAQ montly pointer 8/13

[Arno Wagner]

On Sat, Aug 03, 2013 at 04:47:12PM +0200, Milan Broz wrote:
> On 08/03/2013 04:10 PM, Dragan Milivojević wrote:
> >> Another option for reliably identifying the swap partition is to use
> >> /dev/disk/by-id/<identifier> to identify the drive by model and serial
> >> number.  For example, my own swap partition is
> >>
> >>     /dev/disk/by-id/scsi-SATA_ST95005620AS_5YX1NEGE-part5
> >>
> >> That should be safe unless I re-purpose that drive and forget to update
> >> /etc/crypttab.
> > 
> > I would suggest using UUID. It works in all cases (partition, raid,
> > lvm member etc).
> > My crypttab (encrypted swap/home):
> > 
> > luks-4dc17e23-e895-4e4b-8061-114fb33c310b
> > UUID=4dc17e23-e895-4e4b-8061-114fb33c310b none
> > luks-46969c48-ab1f-4bd7-bc2a-ae7c1bc86b26
> > UUID=46969c48-ab1f-4bd7-bc2a-ae7c1bc86b26 none
> > 
> > This was generated by fedora install.
> 
> Sure, this is the best way if you use LUKS and Fedora installer
> is using LUKS even for swap.

Which is not a general solution as that means 
a) Suddenly all yout secret stuff in swap survices reboots
b) Swap needs a passphrase to be unlocked!

In the general case you want neither of these to happen.
 
> For plain crypt (or Truecrypt) you have no UUID, so you cannot use it.
> (You can use uuid/wwid of underlying device as mentioned above
> but this is not be present always.)

Indeed. I tried both when I wrote the entry, only to find that 
neither worked on my system (Debain with custom kernel).

As this is not a distrioution specific FAQ (there are those)
distribution specific stuff shopuld not go into it. Of course
documentation for a specific distribution can contain specific
advice that is not general, and some people have already asked 
me about such things, also with regard to encrypted swap.

Arno


 
> Milan
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

Re: [dm-crypt] Cryptsetup FAQ montly pointer 8/13

[Milan Broz]

On 3.8.2013 19:57, Arno Wagner wrote:
>> For plain crypt (or Truecrypt) you have no UUID, so you cannot use it.
>> (You can use uuid/wwid of underlying device as mentioned above
>> but this is not be present always.)
>
> Indeed. I tried both when I wrote the entry, only to find that
> neither worked on my system (Debain with custom kernel).
>
> As this is not a distrioution specific FAQ (there are those)
> distribution specific stuff shopuld not go into it. Of course
> documentation for a specific distribution can contain specific
> advice that is not general, and some people have already asked
> me about such things, also with regard to encrypted swap.

Device UUID/model etc should not be distribution specific,
udev /dev/disk/by-id* is quite standard among distibutions here.

In fact, udev reads it directly from /sys attributes, as the same
as lsblk does.

Maybe FAQ should also note that kernel device names (sda/sdb etc) is
NOT generaly persistent between reboots. (Usually it is the same but
nothing guarantees it, e.g. plugged USB disk or new SATA card can change
ordering and names). This is important mainly if you use swap keyword
whis is formatted on boot.

Milan

Re: [dm-crypt] Cryptsetup FAQ montly pointer 8/13

[Arno Wagner]

On Sat, Aug 03, 2013 at 10:47:25PM +0200, Milan Broz wrote:
> On 3.8.2013 19:57, Arno Wagner wrote:
> >>For plain crypt (or Truecrypt) you have no UUID, so you cannot use it.
> >>(You can use uuid/wwid of underlying device as mentioned above
> >>but this is not be present always.)
> >
> >Indeed. I tried both when I wrote the entry, only to find that
> >neither worked on my system (Debain with custom kernel).
> >
> >As this is not a distrioution specific FAQ (there are those)
> >distribution specific stuff shopuld not go into it. Of course
> >documentation for a specific distribution can contain specific
> >advice that is not general, and some people have already asked
> >me about such things, also with regard to encrypted swap.
> 
> Device UUID/model etc should not be distribution specific,
> udev /dev/disk/by-id* is quite standard among distibutions here.

I thought so too, but the only thing I have in my /dev/disk/by-id
are my raid devices, nothing else, and I do have normal partitions.
 
> In fact, udev reads it directly from /sys attributes, as the same
> as lsblk does.

lsbkl works. I have no idea what is wrong here, but unless I 
damaged it on two different systems without noticing, it does 
not seem to be universal. Maybe something wrong in my kernel 
configs? 

> Maybe FAQ should also note that kernel device names (sda/sdb etc) is
> NOT generaly persistent between reboots. (Usually it is the same but
> nothing guarantees it, e.g. plugged USB disk or new SATA card can change
> ordering and names). This is important mainly if you use swap keyword
> whis is formatted on boot.

I have that in there, but maybe not clear enough. Added more.

Anyways, thanks to everybody for the feedback! Its great
that some people actually read the stuff I write!

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

Re: [dm-crypt] Cryptsetup FAQ montly pointer 8/13

[Matthias Schniedermeyer]

On 03.08.2013 23:47, Arno Wagner wrote:
> On Sat, Aug 03, 2013 at 10:47:25PM +0200, Milan Broz wrote:
> > On 3.8.2013 19:57, Arno Wagner wrote:
> > >>For plain crypt (or Truecrypt) you have no UUID, so you cannot use it.
> > >>(You can use uuid/wwid of underlying device as mentioned above
> > >>but this is not be present always.)
> > >
> > >Indeed. I tried both when I wrote the entry, only to find that
> > >neither worked on my system (Debain with custom kernel).
> > >
> > >As this is not a distrioution specific FAQ (there are those)
> > >distribution specific stuff shopuld not go into it. Of course
> > >documentation for a specific distribution can contain specific
> > >advice that is not general, and some people have already asked
> > >me about such things, also with regard to encrypted swap.
> > 
> > Device UUID/model etc should not be distribution specific,
> > udev /dev/disk/by-id* is quite standard among distibutions here.
> 
> I thought so too, but the only thing I have in my /dev/disk/by-id
> are my raid devices, nothing else, and I do have normal partitions.

There must be something wrong(tm).

E.g. just looking for the SSD my operating system is placed on i get 3 
different entries:
(Ignoring the partitions)

lrwxrwxrwx 1 root root  9 Jul 28 03:17 ata-Samsung_SSD_840_PRO_Series_S12RNEACC37670P -> ../../sda
lrwxrwxrwx 1 root root  9 Jul 28 03:17 scsi-SATA_Samsung_SSD_840S12RNEACC37670P -> ../../sda
lrwxrwxrwx 1 root root  9 Jul 28 03:17 wwn-0x5002538550114fa0 -> ../../sda

Counting all symlinks i have 31 in by-id!

This is also a Debian System with a custom kernel (3.10.3).

udev itself has a README somewhere describing what CONFIG parameters 
have to be set for udev to fully work. I look through that some ages ago 
and i had a few missing back then.
Also "compatiblity with old userspace"-options 
like: CONFIG_SYSFS_DEPRECATED should be disabled.




-- 

Matthias

Re: [dm-crypt] Cryptsetup FAQ montly pointer 8/13

[Arno Wagner]

On Sat, Aug 03, 2013 at 04:10:29PM +0200, Dragan Milivojević wrote:
> > Another option for reliably identifying the swap partition is to use
> > /dev/disk/by-id/<identifier> to identify the drive by model and serial
> > number.  For example, my own swap partition is
> >
> >     /dev/disk/by-id/scsi-SATA_ST95005620AS_5YX1NEGE-part5
> >
> > That should be safe unless I re-purpose that drive and forget to update
> > /etc/crypttab.
> 
> I would suggest using UUID. It works in all cases (partition, raid,
> lvm member etc).
> My crypttab (encrypted swap/home):
> 
> luks-4dc17e23-e895-4e4b-8061-114fb33c310b
> UUID=4dc17e23-e895-4e4b-8061-114fb33c310b none
> luks-46969c48-ab1f-4bd7-bc2a-ae7c1bc86b26
> UUID=46969c48-ab1f-4bd7-bc2a-ae7c1bc86b26 none
> 
> This was generated by fedora install.

It does not work for encrypted swap. And it cannot work,
as the UUID is stored in the partition itself. Just the same
as an empty partition does not have an UUID...

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

Re: [dm-crypt] Cryptsetup FAQ montly pointer 8/13

[Alex Elsayed]

Arno Wagner wrote:
> It does not work for encrypted swap. And it cannot work,
> as the UUID is stored in the partition itself. Just the same
> as an empty partition does not have an UUID...
> 
> Arno

If you're on GPT then you have to option of PARTUUID and PARTLABEL,
which *are* present in such cases - that only works for raw partitions,
but may be something to think about.

I dodge the whole thing by putting my LVM PV on top of LUKS, and then having 
my swap in an LV. I need persistent swap (and thus LUKS, not random key) for 
hibernation anyway, and doing it as described brings the number of keys 
needed down to 1.

If I *had* RAID, I'd go (bottom to top) RAID -> LUKS -> LVM -> Swap/FS.

[dm-crypt] Cryptsetup FAQ montly pointer 8/13

[Arno Wagner]

The FAQ can be fount on the Web here:
  http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
and in the sources.

Changes:
- Added section on swap encryption as item 2.2 

Arno


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

Re: [dm-crypt] Cryptsetup FAQ montly pointer 8/13

[Robert Nichols]

On 08/02/2013 04:54 PM, Arno Wagner wrote:
> The FAQ can be fount on the Web here:
>    http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
> and in the sources.
>
> Changes:
> - Added section on swap encryption as item 2.2

Another option for reliably identifying the swap partition is to use
/dev/disk/by-id/<identifier> to identify the drive by model and serial
number.  For example, my own swap partition is

     /dev/disk/by-id/scsi-SATA_ST95005620AS_5YX1NEGE-part5

That should be safe unless I re-purpose that drive and forget to update
/etc/crypttab.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

Re: [dm-crypt] Cryptsetup FAQ montly pointer 8/13

[Arno Wagner]

That is not in there by intent as it is not universal,
but distribution-  and kernel-dependent.

Arno

On Sat, Aug 03, 2013 at 08:51:09AM -0500, Robert Nichols wrote:
> On 08/02/2013 04:54 PM, Arno Wagner wrote:
> >The FAQ can be fount on the Web here:
> >   http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
> >and in the sources.
> >
> >Changes:
> >- Added section on swap encryption as item 2.2
> 
> Another option for reliably identifying the swap partition is to use
> /dev/disk/by-id/<identifier> to identify the drive by model and serial
> number.  For example, my own swap partition is
> 
>     /dev/disk/by-id/scsi-SATA_ST95005620AS_5YX1NEGE-part5
> 
> That should be safe unless I re-purpose that drive and forget to update
> /etc/crypttab.
> 
> -- 
> Bob Nichols     "NOSPAM" is really part of my email address.
>                 Do NOT delete it.
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

Re: [dm-crypt] Cryptsetup FAQ montly pointer 8/13

[Sven Eschenberg]

Personally I'd prefer using the WWN, as it won't certainly change
(seperators on a serial,model,make combination might change any time ...)

On Second thought, the seperator of the string wwn and the actual wwn
could change too.

Okay, WWN is just another option.

Regards

-Sven


On Sat, August 3, 2013 15:51, Robert Nichols wrote:
> On 08/02/2013 04:54 PM, Arno Wagner wrote:
>> The FAQ can be fount on the Web here:
>>    http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
>> and in the sources.
>>
>> Changes:
>> - Added section on swap encryption as item 2.2
>
> Another option for reliably identifying the swap partition is to use
> /dev/disk/by-id/<identifier> to identify the drive by model and serial
> number.  For example, my own swap partition is
>
>      /dev/disk/by-id/scsi-SATA_ST95005620AS_5YX1NEGE-part5
>
> That should be safe unless I re-purpose that drive and forget to update
> /etc/crypttab.
>
> --
> Bob Nichols     "NOSPAM" is really part of my email address.
>                  Do NOT delete it.
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>