[dm-crypt] distributing compressed, encrypted, and signed images

Alex Polvi alex at polvi.net
Mon Mar 3 03:54:59 CET 2014


Thank so much to the developers of dm-crypt for all your hard work,
this stuff is great!

I'm trying to build a root filesystem in a squashfs, that is then
encrypted using cryptsetup, then verified with veritysetup. The goal
is to create a container filesystem that is encrypted and verified.

I'm able to do all this no problem, but I'm a bit confused on how the
hash_dev[1] is supposed to be used. For my testing, I used a loopback
device for my hash_dev. When I'm ready to distribute my encrypted
squashfs to someone, I was expecting to give over the passphrase for
cryptsetup, and the sha256 generated by veritysetup format. However,
it looks like I also have to distribute my hash_dev as well. Is that
the case? Does that mean I need to ship my main image, the hash_dev
image, and sha256 that corresponds to both? Is there some clever way
to do this that I am overlooking?

Also, since squashfs is readonly already, is dm-verity overkill? I'm a
bit lost on the advantage of the hash_dev over just checking the hash
it before mounting.

Any pointers/suggestions very much appreciated! Thank you again for
all your support.



[1]: https://code.google.com/p/cryptsetup/wiki/DMVerity

More information about the dm-crypt mailing list