On Fri, Nov 10, 2006 at 01:43:05PM +0100, martin f krafft wrote:
also sprach David Härdeman <[EMAIL PROTECTED]> [2006.11.10.1331 +0100]:
The hook should warn about these situations though and then skip
adding the resume partition details to the initramfs image...I'll
fix that
That's what I meant. Thanks for reading through my blather.
Ok, I've committed fixes for both your bugs to the SVN repo. Could you
please test the package? Either by downloading it from:
http://www.hardeman.nu/~david/cryptsetup_1.0.4-7_i386.deb
or, if you don't want to install deb's built by non-DD's, get the source
yourself from the svn repo (svn://svn.debian.org/pkg-cryptsetup/)
On a related note, if you do want to be able to resume from swap
without needing extra passphrases, the solution that I spoke with
Erich about (which I have working locally) is to first setup the
root partition (using e.g. LUKS) and then derive a key for the
swap partition using a hash of the root partition key. This would
give the swap partition a static key which does not need to be
stored in the image, thus allowing (u)swsusp.
Okay, but why a hash? Why not just the same passphrase then?
Two reasons:
1) Most importantly, I'm a lazy bastard. The easiest way to get the root
key from an independent script is to call "dmsetup table" which
provides the key as a hex-ascii string which would need to be
converted back to binary representation.
2) Paranoia, I'm not sure it's a good idea to have several pieces of
"known" source data (i.e. superblocks) encrypted with the same key.
Not something I can back up with any authority or research of course
:)
The script is very simple, I've attached it as an example. If you want
to use it, just plop it somewhere (let's say under /root) and make it
executable.
The change /etc/crypttab so that it says something like:
cryptroot /dev/hda1 none luks
cryptswap /dev/hda2 cryptroot
keyscript=/root/decrypt_derived,hash=sha256,size=256,cipher=aes-cbc-essiv:sha256
The keyscript will be copied into the initramfs image at creation time
and after that you'll have a static key for swap without having to enter
two passphrases.
I'm planning to commit it once I've written some more documentation for
it (so it might be post-Etch).
--
David Härdeman
#!/bin/sh
if [ -z "$1" ]; then
echo "$0: must be executed with a crypto device as argument" >&2
exit 1
fi
if ! device=$(dmsetup table 2> /dev/null | grep "$1"); then
echo "$0: failed to read device-mapper table" >&2
exit 1
fi
if [ -z "$device" ]; then
echo "$0: device $1 doesn't exist" >&2
exit 1
fi
if [ "$(echo "$device" | wc -l)" -ne 1 ]; then
echo "$0: more than one device match $1" >&2
exit 1
fi
type=$(echo -n "$device" | cut -d' ' -f4)
if [ "$type" != "crypt" ]; then
echo "$0: device $1 is not a crypto device" >&2
exit 1
fi
echo -n "$device" | cut -d' ' -f6
exit 0
