[dm-crypt] contribution offer and questions - LUKS system encryption with detached header

Arno Wagner arno at wagner.name
Fri Oct 19 08:10:59 CEST 2012


On Fri, Oct 19, 2012 at 12:10:25AM -0400, Jim F wrote:
> 
> I modified scripts to allow system encryption with a detached LUKS
> header. Everything but /boot is encrypted and the header can be
> either a partition or a file (say) in the initrd in /boot. And /boot
> can be on a separate device, e.g. a USB thumb drive, so the system
> drive can have only encrypted data with no indication that it's LUKS
> encrypted.
> 
> I'm writing to see if the changes would be of interest to anyone and
> how to include them in a package. I was using Linux Mint 12 but they
> should work (at least) with any of the Debian derivatives.
> 
> LM12 came with cryptsetup 1.1.3 so I got the latest source which at
> that time was 1.4.1. Since I didn't see any of the initramfs-tools
> scripts in the cryptsetup source, I assumed they were distributed in
> a different package. I've subsequently found that while there is a
> initramfs-tools package, the scripts related to cryptsetup are in
> the cryptsetup package. This observation applies at least to Debian,
> Ubuntu and Linux Mint.

The initramfs is distribution-specific. There are no standards for 
it, or at least no binding ones. The only thing the kernel knows 
and needs is a specific filesystem  and the presence of init.
Anythinge else, including what init does is up to the distro.

The reason there are no such scripts in the cryptsetup package
is that it would not make sense to put them in there, as they
would be completely different for different distributions.
 
> Because of the difference in the source and packaging, I have the
> modified 1.1.3 scripts working with the 1.4.1 cryptsetup I built.
> After taking a quick look at 1.4.3, I've concluded it won't be too
> much work to get the changes in sync. However it would be best to do
> this only once. I was thinking about doing it with 1.4.3 which comes
> with Ubuntu 12.10 but I see that 1.5.1 has just been released.
> 
> Given all this, can someone tell me:
> 
>  - how the scripts get packaged with cryptsetup since they don't
> appear to be in its source tree?

They do not get packaged with cryptsetup. At least not 
distribution-specific ones. And with good reason.
 
>  - where the scripts are?

In the distribution ;-)

>  - how to get the changes included with the distributions, assuming
> there's interest?

Submitted to the distributions directly.

This is a frequent misconception you fell prey to here: Booting
is the responsibility of the distribution, all processes in it
are out of scope for cryptsetup. Cryptsetup just handles setting
up plain dm-crypt and LUKS partitions without any regard to
what process requests it or at what time it is requested, as long
as the kernel is running.

Here is what I recommend:
 
- Submit this to Mint for Mint.
- For Debian-like distros, submit it to Debian, it should
  eventually propagate down.

Arno
-- 
Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 


More information about the dm-crypt mailing list