Package: cryptsetup Version: 2:1.1.3-1 Severity: important
Hi. I have not tried this out, nevertheless I'm quite sure it happens as I describe: - In Debian, it's totally ok, to have /usr on non-root-filesystems (even remote filesystems are ok, but I guess that's rather stupid when it comes to disk encryption. - It's also completely ok (and very reasonable in order to secure against offline attacks) to encrypt /usr. - Many keyscripts depend on content within /usr, e.g. my personal OpenPGP key scripts, or openct, opensc and openssl) It's quite obvious that this will fail: The root-fs itself can be well decrypted (everything needed is in the initramfs), but then we pivot root, and all that stuff is gone... as soon as we try to decrypt any other device which uses a keyscript with dependecies in /usr,.. (e.g. /usr-fs itself)... we'll fail. I guess there is no solution but one: Decrypt all such devices in the initramfs image. But this has of course many problems: a) In case we support multilayered block devices,... (as described here: http://wiki.debian.org/AdvancedStartupShutdownWithMultilayeredBlockDevices ) we're fucked ^^... well at least everything gets extremely complicated b) If we'd already mount more than just root-fs during initramfs... will the normal init-system boot break? Cheers, Chris. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
