The most merciful thing in the world is the inability of the human mind to correlate all its contents.
H. P. Lovecraft

PERSONAL

latest news
photos
contact

BOOKMARKS

captchas
cooking
graduation
tango

TAGS

all (rss)
concert (rss)
dance (rss)
holiday (rss)
linux (rss)
music (rss)
personal (rss)
photos (rss)
science (rss)
web (rss)

Decipher

Since some time I am an user of encfs. I actually did want to encrypt my whole root filesystem (just for fun, nothing to hide ;-)), but the loopback way is a hack and the old weak initialization vectors make watermark attacks easy. The weak key management was also a showstopper. Now that luks is relatively standard I hoped that with ubuntus upcoming edgy the eft the dm crypt + luks setup would be well enough integrated.

Unfortunately this is not the case. The installer does not support this yet. There is a myriad of conflicting documentation on how to set this up properly. Most of these are misleading and outdated. There are thousand ways to do this.. but I wanted to do it in a way that will be supported properly in the future. This guide is the best there is on this topic and following it literally does work for Edgy Eft.

One thing Edgy has changed (compared to the guide, which is actually for Dapper Drake) is that the latest cryptsetup package already has encrypted root initramsfs hooks. With adding cryptopts in the kernel line (or via kopts in grub) or making a /etc/initramfs-tools/conf.d/cryptoroot file the system _should_ come up automatically with the passphrase question. After a lot of fiddling (every distro seems to have their on ways of specifying the parameters) I still did not get this working. If you use the kernel line options cryptsetup is not installed in the initrd and if you use the conf file option, the proper kernel modules are not loaded.

Usually I behave like a good open source citizen and file nice bug reports about this, instead of whining in a journal entry. This time the 1000 different ways of doing these + the already very confusing bug reports about this package, left me feeling disqualified to do so. In the end, just following the guide for ubuntu and writing my own initramfs non configurable hook functions (which conflict with the future cryptopts settings !!) seems the best way right now. What makes the situation even more difficult for starters is that google does not list the proper page for ubuntu but a very outdated howto, so hopefully this entry will help the proper guide bubble up.

Hopefully this is something that is going to get better in future! Distributors, please fix this and standardize! On the bright side, the debian future for this looks most promising, clean implementation and support in the beta installer..

[Permalink]-- Filed under: [linux]

$ vorm.net - 2008 - jochem $