[dm-crypt] distributing compressed, encrypted, and signed images
alex at polvi.net
Mon Mar 3 03:54:59 CET 2014
Thank so much to the developers of dm-crypt for all your hard work,
this stuff is great!
I'm trying to build a root filesystem in a squashfs, that is then
encrypted using cryptsetup, then verified with veritysetup. The goal
is to create a container filesystem that is encrypted and verified.
I'm able to do all this no problem, but I'm a bit confused on how the
hash_dev is supposed to be used. For my testing, I used a loopback
device for my hash_dev. When I'm ready to distribute my encrypted
squashfs to someone, I was expecting to give over the passphrase for
cryptsetup, and the sha256 generated by veritysetup format. However,
it looks like I also have to distribute my hash_dev as well. Is that
the case? Does that mean I need to ship my main image, the hash_dev
image, and sha256 that corresponds to both? Is there some clever way
to do this that I am overlooking?
Also, since squashfs is readonly already, is dm-verity overkill? I'm a
bit lost on the advantage of the hash_dev over just checking the hash
it before mounting.
Any pointers/suggestions very much appreciated! Thank you again for
all your support.
More information about the dm-crypt