[dm-crypt] distributing compressed, encrypted, and signed images

Alex Polvi alex at polvi.net
Thu Mar 6 16:55:24 CET 2014


Hello again,

To put this question another way: How do you calculate the required
size of the hash_dev? By observation, it appears to be just under 1%
of the disk size.

Thank you for your help,

-Alex

On Sun, Mar 2, 2014 at 6:54 PM, Alex Polvi <alex at polvi.net> wrote:
> Hello,
>
> Thank so much to the developers of dm-crypt for all your hard work,
> this stuff is great!
>
> I'm trying to build a root filesystem in a squashfs, that is then
> encrypted using cryptsetup, then verified with veritysetup. The goal
> is to create a container filesystem that is encrypted and verified.
>
> I'm able to do all this no problem, but I'm a bit confused on how the
> hash_dev[1] is supposed to be used. For my testing, I used a loopback
> device for my hash_dev. When I'm ready to distribute my encrypted
> squashfs to someone, I was expecting to give over the passphrase for
> cryptsetup, and the sha256 generated by veritysetup format. However,
> it looks like I also have to distribute my hash_dev as well. Is that
> the case? Does that mean I need to ship my main image, the hash_dev
> image, and sha256 that corresponds to both? Is there some clever way
> to do this that I am overlooking?
>
> Also, since squashfs is readonly already, is dm-verity overkill? I'm a
> bit lost on the advantage of the hash_dev over just checking the hash
> it before mounting.
>
> Any pointers/suggestions very much appreciated! Thank you again for
> all your support.
>
> Regards,
>
> -Alex
>
> [1]: https://code.google.com/p/cryptsetup/wiki/DMVerity


More information about the dm-crypt mailing list