[Cryptofs-devel] Encrypted root

Max Vozeler max+cryptofs@hinterhof.net
Thu, 29 Jan 2004 02:31:19 +0100 

Hi,

to get this list started I'll write about the current status of my
work on integrating encrypted filesystems. The loop-AES packages
should soon be complete in unstable and hopefully make it in time
for sarge. Some other things:

1. Encrypted root
  
  Here is how it works: The loop-aes-utils package provides
  an mkinitrd script that prepares the initrd for booting an
  encrypted root device. It copies the required tools to the
  initrd (gnupg, losetup) and creates the device nodes for
  accessing the root device in there. If it detects a console
  keymap, it will install that too.

  (The problem with mkinitrd refusing to run once booted
  into an encrypted root filesystem has been acknowleged by
  Herbert Xu and he will implement a solution in initrd-tools)

  During boot the keymap is installed, an optionally configured
  keyfile device is fscked, mounted and then is losetup called.
  The script will retry the losetup twice and then error out if
  the wrong passphrase has been entered. This could do with a
  nicer error message.
  
  Then it announces the new root device and the standard 
  Debian boot process continues. This is almost complete and 
  working nicely for me, but I have received no feedback on
  this at all, so if you use this with or without success,
  please tell me. Suggestions on how to improve the documentation
  are also welcome.

2. partman-cryptofs
  
  Still at an early stage. As I'm tired I will spare most details
  to another mail cross-posted to debian-boot sometime this week.
 
  There has been no successfull install yet ;) But I have some
  debconf prompts for the cipher, passphrase and their respective
  menu directory scripts. When the has answered that he can
  choose to finish the partitioning and create a virtual 
  device called "Encrypted Space #n"

  The problem is that partman insists on creating a partition table 
  on the new device and we dont want that. Thats were I stopped
  last time.

Ok, that's all for today. I'm looking forward to hearing from you
people on what you think about this, any problems there still are,
ideas, ...

Cheers
Max

-- 
Max Vozeler <max@hinterhof.net>           http://hinterhof.net/~max
GnuPG B7CDA2DC : 308E 81E7 B979 63BC A0E6  ED88 9D5B D511 B7CD A2DC