Re: [Tails-dev] Ticket #5705, desktop integration of cryptsetup TrueCrypt support
Hi Marco, Marco Calamari wrote (07 Oct 2013 11:35:57 GMT) : > I suspect that I'm wasting the time of list readers. I don't think so :) > What I said is in favour of Truecrypt to remains included, in TAILS, > also a deprecated option, until a mature and better option [...] It may not look like it's the case, but I do want to take such concerns into account (and, TBH, this wasn't the case until a few months ago). I think that any decision on this topic has to take into account whether someone, out there, is making this better option available, and usable without running command lines by hand, and without running a TC-specific GUI. I mean: if we can reasonably believe that such a better option will be available in the foreseeable future, then I'm personally 100% fine with keeping TC until then. But if nobody is working on making this happen, then every single day we keep shipping TC, more people will be getting used to it being available, and then it becomes harder and harder to ever drop it. > About desktop automation, I propose nothing, but simply tell that no > easy desktop automation can be done if you cannot say that an > encrypted volume is there, without reliyng on dirty tricks like use > of persistence. I do agree. This being said, being unable to do it automatically doesn't prevent GNOME to allow the user to do it easily (without resorting to cryptsetup on the command-line). Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Ticket #5705, desktop integration of cryptsetup TrueCrypt support
On Mon, 2013-10-07 at 12:28 +0200, intrigeri wrote: > Hi Marco, > > Marco Calamari wrote (07 Oct 2013 09:38:32 GMT) : > >> OK, but then GNOME Disks and Nautilus could have a way to "this is > >> a TC volume, please unlock it". I suspect that I'm wasting the time of list readers. What I said is in favour of Truecrypt to remains included, in TAILS, also a deprecated option, until a mature and better option of LUKS will be avalaible in Debian or Debian-Backports (Cryptsetup 1.6.0) can be included in TAILS. (tcrypt option) About desktop automation, I propose nothing, but simply tell that no easy desktop automation can be done if you cannot say that an encrypted volume is there, without reliyng on dirty tricks like use of persistence. IMO, no desktop automation is needed in this particular case. JM2C. Marco -- +--- http://www.winstonsmith.org ---+ | il Progetto Winston Smith: scolleghiamo il Grande Fratello | | the Winston Smith Project: unplug the Big Brother | | Marco A. Calamari mar...@marcoc.it http://www.marcoc.it | | DSS/DH: 8F3E 5BAE 906F B416 9242 1C10 8661 24A9 BFCE 822B | + PGP RSA: ED84 3839 6C4D 3FFE 389F 209E 3128 5698 --+ signature.asc Description: This is a digitally signed message part ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Ticket #5705, desktop integration of cryptsetup TrueCrypt support
Hi Marco, Marco Calamari wrote (07 Oct 2013 09:38:32 GMT) : >> OK, but then GNOME Disks and Nautilus could have a way to "this is >> a TC volume, please unlock it". > Gnome disk, Nautilus and NSA, all three cannot have that. Do you mean "none of GNOME Disks and Nautilus", or "not all of GNOME Disks and Nautilus"? I cannot see why GNOME Disks (or even Nautilus) could not provide this feature. May you please clarify? > Only possibility I see, to put some info in a persistent > file of Gnome. But just a request telling something like. > "In the past you mounted this partition as Truecrypt container; > wand to do that again? If yes, gimme password" As long as this is only stored in memory, for the duration of a Tails session, this would be great. But I would not want to see that available to all GNOME users around there, as it basically kills plausible deniability. So, given we probably don't want to maintain a delta with GNOME on this front, I doubt this is the way to go. I'd be happy to be taught otherwise, though :) > With no persistent properties, Nautilus may only look at all > partitions, see those with no readable header of known type, > and ask a possible mount for them. I suspect this would lead to a painful user experience. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Ticket #5705, desktop integration of cryptsetup TrueCrypt support
On Sat, 2013-10-05 at 22:17 +0200, intrigeri wrote: > Marco Calamari wrote (05 Oct 2013 17:58:09 GMT) : > > One doubt; a corrupted encrypted volume id a really bad thing; is > > this feature stable from this standpoint? > > At least it's not documented as experimental. I suggest asking the > cryptsetup maintainers, if you want a more authoritative answer :) WIll check for sure > > Truecrypt volume header have no signature, and cannot be seen in any > > way; it is indistiguishable from binary noise. > > Truecrypts devices looks as unformatted empty devices or partitions, > > or noise-filles files. > > OK, but then GNOME Disks and Nautilus could have a way to "this is > a TC volume, please unlock it". Gnome disk, Nautilus and NSA, all three cannot have that. Only possibility I see, to put some info in a persistent file of Gnome. But just a request telling something like. "In the past you mounted this partition as Truecrypt container; wand to do that again? If yes, gimme password" With no persistent properties, Nautilus may only look at all partitions, see those with no readable header of known type, and ask a possible mount for them. JM2C. Marco -- +--- http://www.winstonsmith.org ---+ | il Progetto Winston Smith: scolleghiamo il Grande Fratello | | the Winston Smith Project: unplug the Big Brother | | Marco A. Calamari mar...@marcoc.it http://www.marcoc.it | | DSS/DH: 8F3E 5BAE 906F B416 9242 1C10 8661 24A9 BFCE 822B | + PGP RSA: ED84 3839 6C4D 3FFE 389F 209E 3128 5698 --+ signature.asc Description: This is a digitally signed message part ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Ticket #5705, desktop integration of cryptsetup TrueCrypt support
Marco Calamari wrote (05 Oct 2013 17:58:09 GMT) : > One doubt; a corrupted encrypted volume id a really bad thing; is > this feature stable from this standpoint? At least it's not documented as experimental. I suggest asking the cryptsetup maintainers, if you want a more authoritative answer :) > Truecrypt volume header have no signature, and cannot be seen in any > way; it is indistiguishable from binary noise. > Truecrypts devices looks as unformatted empty devices or partitions, > or noise-filles files. OK, but then GNOME Disks and Nautilus could have a way to "this is a TC volume, please unlock it". Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Ticket #5705, desktop integration of cryptsetup TrueCrypt support
On Sat, 2013-10-05 at 14:43 +0200, intrigeri wrote: > Hi, > > irregula...@riseup.net wrote (05 Oct 2013 12:12:09 GMT) : > > I made some simple tests in Debian testing to review desktop integration. > > Great, thanks! This was enough to motivate me to (procrastinate and) > create tickets for the next steps. > > > A user can open a Truecrypt container using cryptsetup in command-line > > with root privileges. I think that can be handled with sudo. Still, one > > could say it's complicated for the average user to fire up command line > > to open a Truecrypt container. That's a minus. This is a great news! Average user that can understand giving an optional boot parameter & manage Truecrypt panel, will not have difficulties (IMO) using command line with some guide. After this, there is always space to make things better and easier, but this is a path than can be decided in a not-so-distant future. One doubt; a corrupted encrypted volume id a really bad thing; is this feature stable from this standpoint? > > Gnome Disk Utility seems not to recognize the Truecrypt volume as it > > does with say a LUKS volume. It just shows an unknown format's file with > > size equal to the Truecrypt volume, assigned at a loopback device. AFAIK, Luks volumes start with a signature, that make a volume recognizable. Truecrypt volume header have no signature, and cannot be seen in any way; it is indistiguishable from binary noise. Truecrypts devices looks as unformatted empty devices or partitions, or noise-filles files. Thanks. Marco > > Added this info to the blueprint: > https://tails.boum.org/blueprint/replace_truecrypt/ > > So, it looks like the next thing to do is: > > #6337 - Add support for TrueCrypt volumes in udisks > > I've created this ticket in our bug tracker, and requested the feature > upstream: > > https://bugs.freedesktop.org/show_bug.cgi?id=70164 > > This upstream feature request has way more chance to be fulfilled if > someone proposes a patch. Any taker? -- +--- http://www.winstonsmith.org ---+ | il Progetto Winston Smith: scolleghiamo il Grande Fratello | | the Winston Smith Project: unplug the Big Brother | | Marco A. Calamari mar...@marcoc.it http://www.marcoc.it | | DSS/DH: 8F3E 5BAE 906F B416 9242 1C10 8661 24A9 BFCE 822B | + PGP RSA: ED84 3839 6C4D 3FFE 389F 209E 3128 5698 --+ signature.asc Description: This is a digitally signed message part ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Ticket #5705, desktop integration of cryptsetup TrueCrypt support
Hi, irregula...@riseup.net wrote (05 Oct 2013 12:12:09 GMT) : > I made some simple tests in Debian testing to review desktop integration. Great, thanks! This was enough to motivate me to (procrastinate and) create tickets for the next steps. > A user can open a Truecrypt container using cryptsetup in command-line > with root privileges. I think that can be handled with sudo. Still, one > could say it's complicated for the average user to fire up command line > to open a Truecrypt container. That's a minus. > Gnome Disk Utility seems not to recognize the Truecrypt volume as it > does with say a LUKS volume. It just shows an unknown format's file with > size equal to the Truecrypt volume, assigned at a loopback device. Added this info to the blueprint: https://tails.boum.org/blueprint/replace_truecrypt/ So, it looks like the next thing to do is: #6337 - Add support for TrueCrypt volumes in udisks I've created this ticket in our bug tracker, and requested the feature upstream: https://bugs.freedesktop.org/show_bug.cgi?id=70164 This upstream feature request has way more chance to be fulfilled if someone proposes a patch. Any taker? Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev