Talk:System Encryption with LUKS for dm-crypt

From ArchWiki

Jump to: navigation, search

I'm considering to do some editing and rewriting of this page, mainly in part "4 The Steps". The content would mostly stay the same, safe for some changes introduced with the newer versions of arch, where less console switching and module loading is needed. On the same subject should we drop, or move to a subsection, the parts related to versions 0.72 of arch?

Does anyone have objections to my plans, or should I just go ahead and we can revert back if it doesn't fit?

WhiteMagic 12:56, 24 May 2007 (EDT)

Contents

[edit] Encrypted Swap

http://bbs.archlinux.org/viewtopic.php?id=26097 - this is I think, better solution for encrypted swap.

Probably the SWAP keyword, which can be used in /etc/crypttab, should be mentioned. --gothmog.todi 12:47, 24 July 2007 (EDT)
I've added a paragraph about the SWAP keyword some while ago. Does anybody see a reason to keep the information about setting up random swap encryption manually? I can't think about a use case where it should be preferred to the automatic one. -- gothmog.todi 15:16, 5 February 2008 (EST)

[edit] Luks and suspend2

Would it be worth adding a section on opening encrypted drives from the kernel command line, or more specifically on combining luks and suspend2? As far as I can tell opening a swap partition from crypttab doesn't make it available in time to resume from, but adding the following to a lilo append option does: 

resume2=swap:/dev/mapper/swap cryptdevice=/dev/sda2:swap

I'm not sure if this is the correct/best way of doing this, though, and didn't see other documentation.

[edit] Setting up LUKS 

cryptsetup -c aes-lrw-benbi -h sha256 -y -s 384 luksFormat /dev/sda3

I'm quite sure that the '-h' here is ignored by luksFormat. Somebody knows about this?

-- gothmog.todi 14:57, 31 January 2008 (EST)

I tested it and luksFormat does ignore it, so I removed it. -- gothmog.todi 17:27, 3 February 2008 (EST)

[edit] Misc

Look: http://wiki.archlinux.org/index.php/User_talk:Gothmog.todi#LUKS

Summary: we could insert a short explanation so every user can chose between a "LRW mode" swap partition or a "CBC-ESSIV mode" swap partition. ekerazha 07:11, 3 February 2008 (EST)

Improved the "note" (I hope) ;-) ekerazha 12:28, 3 February 2008 (EST)
Thank you, it's better now. I added a shot info about suspend2disk in connection with encrypted swap. -- gothmog.todi 17:26, 3 February 2008 (EST)
I've added other info because with "uswsusp" you can also encrypt the suspend image, so it should also encrypt the "kernel space" key we used for dm-crypt before storing it to the lrw ciphered volume. ekerazha 09:30, 4 February 2008 (EST)

[edit] Merge proposal

As you can see, I tried to merge 4 articles that covered the same (or very similar) subject into this one. There was wrong/redundant informations between the various pages. -- ekerazha 18:36, 3 February 2008 (EST)

There's still a very redundant page (this one: Disk encryption) but the user "Post" believes to own it (see User_talk:Ekerazha) so I can't merge/redirect that page... and I have no desire to lose my time with him. -- ekerazha 19:12, 3 February 2008 (EST)
Sure, your page contains more topics (USB stick and loopback), but the overall quality still sucks.
Post 19:28, 3 February 2008 (EST)
You still don't understand this ISN'T "my" page: many users contributed to this page. However, "YOUR" page, compared to this, is *very* superficial, just look at the notes with deeper explanations we have here. If you have improvements (but I doubt it, considering the low level of your arguments), you can contribute to this page instead of keeping a redundant page because you like to own a wiki page. -- ekerazha 19:36, 3 February 2008 (EST)
Owning a wiki page is 1337.
Post 19:55, 3 February 2008 (EST)

Now really, could you both please try to behave a little bit more like grown-ups? A wiki is supposed to be a place of objective information and discussion, you know. I don't know if you are aware how this normally works, so I'm going to explain it: I added merge-tags on both pages (as it probably should have be done from the beginning). And now a discussion should be started whether or not the pages should be merged. -- gothmog.todi 04:32, 4 February 2008 (EST)

So, Disk_encryption does indeed seem rather redundant to me. Post, could you may try to explain why you think there is a need for it as an independent article? -- gothmog.todi 04:37, 4 February 2008 (EST)

The current situation is: 3 pages already merged here, 2 proposed merges (Disk_encryption and RAID_Encryption_LVM). This article doesn't talk about the LVM setup, RAID_Encryption_LVM mainly talks about the LVM setup (not only however), Disk_encryption (the page "property of Post") talks about both LVM and non-LVM setups but in a very superficial way. These pages should be definitely merged together in order to avoid redundant informations. Gothmog.todi seems to agree to me about the redundancy of Disk_encryption. -- ekerazha 07:23, 4 February 2008 (EST)

You should at first clean up this page before merging all other pages with it and making it the Ultimate Guide to Encryption. It contains some really weird/obsolete stuff, like loading modules (it is done automatically), generating a keyfile with head (lawl), setting up swap via /etc/rc.local, giving "-y" option to cryptsetup, etc. Of course, I could fix these things, but there is one thing I cannot fix - that someone who simply wants to set up encryption will need to read all this crap and waste his time (like I was back then when I was setting up encrypted partitions for the first time).
Post 14:05, 4 February 2008 (EST)
You say loading modules is done automatically... partially it could be true (I didn't write that paragraph), however on x86_64 what module is used? As I've written inside a "note", x86_64 can *also* use an optimized version of the AES module: you can't settle everything "automatically" and "your" page doesn't explain there are 2 different modules. And what's wrong with giving "-y" to cryptsetup? The page you have written is a strictly "step by step" guide for people who don't understand what is doing. Why do you use "cbc-essiv" instead of "lrw" for the swap partition? Who knows... of course, that page is shorter and "step by step" but because of this, it is really really superficial (and still redundant). This is why I think it should be definitely merged. -- ekerazha 06:26, 5 February 2008 (EST)
I don't think that the additional information given in this article is crap. (But it does need some love) I rather see it as important for someone using encryption to fully understand what he is doing. Sure, for someone who just needs a quick step-by-step it's burdensome to filter out the needed commands. Maybe some kind of "short version" of the setup would help here? (I remember that something like this was in an early version of Disk_encryption) What do you think of this? I would prefer it to an extra article, which would likely lead to inconsistency between it and this one. -- gothmog.todi 14:43, 5 February 2008 (EST)

About RAID_Encryption_LVM: I really don't see much reason to keep this separate. It's rather out-of-date and would need some serious revisions. And the difference compared to the normal cyrpto setup is not really big: it could easily be put in a subsection here, with a link to the article about LVM/raid setup (Installing_with_Software_RAID_or_LVM. This one is out-dated as well, but thats another topic) -- gothmog.todi 15:08, 5 February 2008 (EST)

I agree. However I don't use LVM (I prefer UnionFS for my needs), so I don't have the "background" to merge that part. Could you do this? -- ekerazha 15:45, 5 February 2008 (EST)
I merged it, but it still needs some cleanup. -- gothmog.todi 08:13, 6 February 2008 (EST)

I merged mine. ^^

Post 18:51, 5 February 2008 (EST)

Well... now some cleanup is needed: maybe we could begin removing the "rc.local" way of setting up the swap partition (the other one is more elegant). ekerazha 06:25, 6 February 2008 (EST)

Yeah, I already proposed that in another section of this page ;-) (#Encrypted_Swap) Lets go for it. -- gothmog.todi 07:11, 6 February 2008 (EST)
I removed the rc.local way, and adapted the automatic one, it may still need some work to fit in. -- gothmog.todi 08:15, 6 February 2008 (EST)
"-y" option to cryptsetup (at least when using LUKS) is unnecessary, since LUKS asks to confirm the password by default. Two methods for generating a key are given (head/tail and dd). The former is just... weird. And why the key size given in the latter is 2K? No explanations given. And does someone use Arch64? It needs to be tested whether the aes_x86_64 module is loaded automatically. Well, and it's not supposed to be step-by-step, but sections 5-8 ARE step-by-step. This page really needs to get improved.
Post 10:52, 6 February 2008 (EST)
Inside "man cryptsetup" it's not documented that -y doesn't affect luks (it IS documented that it ACCEPTS -y, while it's documented that -h doesn't affect luksFormat), is there another guy that could confirm this (I'll try by myself asap). About the key generation, cleanup the unuseful stuff if you want... I didn't write that part so I can't say why it is that way. I use Arch64 and I didn't test what it loads by default, however reading the source code and some web pages, it seems like it uses the unoptimized "aes.ko" module (not "aes-i586.ko" and not "aes_x86_64.ko"), but I wait for confirmations. -- ekerazha 12:30, 6 February 2008 (EST) 
And, if your root partition is on lvm, change USELVM in /etc/rc.conf to yes.
What THIS has to do with the root partition? The root partition needs to be already mounted in order to read /etc/rc.conf. Isn't this for scanning for other (non-root) volumes?
Post 11:04, 6 February 2008 (EST)
Yes, you are right. Thank you, I changed it. -- gothmog.todi 13:56, 6 February 2008 (EST)

[edit] New cipher mode

Kernel 2.6.24 supports "aes-xts-plain" (instead of "cbc" or "lrw"). Waiting for kernel 2.6.24 to reach [core] (and new CD version), stay tuned :-) ekerazha 09:00, 6 February 2008 (EST)

Sounds cool.
If you can't wait you can get a livecd that has a 2.6.24 kernel (such as the daily builds of ubuntu http://cdimage.ubuntu.com/daily-live/current/). It worked for me. inthemedium 10:14, 6 February 2008 (EST)
Question: xts-plain VS xts-benbi http://thread.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/2585 ekerazha 09:13, 13 April 2008 (EDT)
-plain is the good one (specs: http://grouper.ieee.org/groups/1619/email/pdf00086.pdf ) ekerazha 13:00, 16 April 2008 (EDT)
Retrieved from "http://wiki.archlinux.org/index.php/Talk:System_Encryption_with_LUKS_for_dm-crypt"
Personal tools