Bug#517471: ability to configure the random key encryption of tmp partitions during installaion
Sorry, I sent this to the wrong address. --- On 3/1/09, M. McGowan m.mcgowan...@googlemail.com wrote: On 2/28/09, Max Vozeler x...@debian.org wrote: reassign 517471 partman-crypto thanks On Fri, Feb 27, 2009 at 06:25:23PM -0500, M. McGowan wrote: It is possible to encrypt loop-aes and dm-crypt tmp (like /tmp or /var/tmp) partitions with a random key at boot time, but the Debian installer will not configure this. The installer will only configure swap partitions like that. Have you tried configuring the partition with a random key, and then setting Use as of the encrypted partition to e.g. ext2 ? The installer should take care of setting the fstab/ crypttab flags as appropriate for tmp. If that doesn't work, it would indicate a bug we need to fix in partman-crypto. It is supposed to work for both loop-AES and dm-crypt. Max For dm-crypt, I get an error that says, You have chosen a random key type for SCSI2 (0,0,0), partition #6 (sdb) but requested the partitioner to create a file system on it. Using a random key type means that the partition data is going to be destroyed upon each reboot. This should only be used for swap partitions. Are you sure you want to use a random key? Loop-aes gives me the usual, The kernel was unable to re-read the partition table on /dev/loop0 (Invalid argument). This means Linux won't know anything about the modifications you made until you reboot. You should reboot your computer before doing anything with /dev/loop0. -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#517471: ability to configure the random key encryption of tmp partitions during installaion
On 2/27/09, M. McGowan m.mcgowan...@googlemail.com wrote: package: debian-installer severity: wishlist version: 20090123 Sorry about the spelling error in the subject, installaion should be installation. -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#517471: ability to configure the random key encryption of tmp partitions during installaion
reassign 517471 partman-crypto thanks On Fri, Feb 27, 2009 at 06:25:23PM -0500, M. McGowan wrote: It is possible to encrypt loop-aes and dm-crypt tmp (like /tmp or /var/tmp) partitions with a random key at boot time, but the Debian installer will not configure this. The installer will only configure swap partitions like that. Have you tried configuring the partition with a random key, and then setting Use as of the encrypted partition to e.g. ext2 ? The installer should take care of setting the fstab/ crypttab flags as appropriate for tmp. If that doesn't work, it would indicate a bug we need to fix in partman-crypto. It is supposed to work for both loop-AES and dm-crypt. Max -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#517471: ability to configure the random key encryption of tmp partitions during installaion
Processing commands for cont...@bugs.debian.org: reassign 517471 partman-crypto Bug#517471: ability to configure the random key encryption of tmp partitions during installaion Bug reassigned from package `debian-installer' to `partman-crypto'. thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#517471: ability to configure the random key encryption of tmp partitions during installaion
package: debian-installer severity: wishlist It is possible to encrypt loop-aes and dm-crypt tmp (like /tmp or /var/tmp) partitions with a random key at boot time, but the Debian installer will not configure this. The installer will only configure swap partitions like that. Creating a random key at each boot is more secure than using the same one, since then data will be securely deleted when the key is deleted, which normally happens at shutdown. (For exceptions, read about cold boot attacks.) Random keys also spare the user the trouble of having to type a password at each boot and worrying about the security of the key and the password. A possible workaround is to configure the would-be tmp partitions as swap partitions during the installation process, and manually configure them to be tmp partitions after the first boot of the new Debian system. An fstab entry for a loop-aes encrypted swap partition, with a new random key at each boot, looks like this. /dev/sda6 noneswap sw,loop=/dev/loop0,encryption=serpent256 0 0 An fstab entry for a loop-aes encrypted tmp partition, with a new random key at each boot, looks like this. /dev/sda7 /tmpext2 defaults,loop=/dev/loop1,encryption=serpent256,phash=random/1777 0 0 More detailed documentation about loop-aes can be found in the losetup manual page. Similar functionality is available for dm-crypt. A crypttab entry for a dm-crypt encrypted swap partition, with a new random key at each boot, looks like this. sda7_crypt /dev/sda6 /dev/random cipher=serpent-cbc-essiv:sha256,size=256,swap Here is the fstab entry. /dev/mapper/sda6_crypt none swapsw0 0 A crypttab entry for a dm-crypt encrypted tmp partition, with a new random key at each boot, looks like this. sda7_crypt /dev/sda7 /dev/random cipher=serpent-cbc-essiv:sha256,size=256,tmp=ext2 Here is the fstab entry. /dev/mapper/sda7_crypt /tmp ext2defaults0 0 More detailed information about dm-crypt can be found in the manual pages cryptsetup and crypttab. Personally, I prefer to use loop-aes for this application for the following reasons: * It has a multi-key mode in which it uses 64 keys plus an additional 65th key, which makes it more secure. * It seems to be faster during boot time. Dm-crypt seems to take a long time creating the ext2 partitions. * dm-crypt might be more supported by Linux, but it is just a tmp partition, so if a kernel upgrade breaks loop-aes, there will be no data loss. -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
