[Pkg-cryptsetup-devel] Implementing a robust check-system

Jonas Meurer jonas at freesources.org
Sat Feb 4 15:42:16 UTC 2006 

On 03/02/2006 gebi at sbox.tugraz.at wrote:
> i'v just added a short description of my ideas of a robust checksystem  
> for cryptdisks to svn.

great work, but i still see some remaining issues:

> main ideas:
> - only check things per default if one of OUR actions causes dataloss!

yes, sounds plausible.

> - don't check for all filesystems and hope not to find one!

what do you mean with that?

> for swap:
> - disable luks for swap usage in cryptdisks.
> - if partitions is of type swap wipe it (if user sets / to type swap  
> it's his fault not ours!).

or in other words in your checksystem_doc:

> # swap
> ##
>     no luks allowed with swap option, because it's useless
> precheck:
>     - check if the device exists (default)
>     - check if the partition has a swap id (82) (default)
>         - if no, abort
>     - maybe a check for suspend/resume (there are reported problems
>         with some of this on grml, but are not restricted to grml)
> (?default?)
>     - mkswap
> postcheck:
>     uesless

the check for partition type swap is not sufficient. it is possible to
use lvm volumes or whatever as swap partition, and these don't have any
partition type. you understand?
i think that it's a good idea to check for the partition type, and go
ahead if it is swap. but if it is not swap (because not a physical
partition at all) we cannot simply fail.
that's where i would check for an existing filesystem, just like for
plain cryptsetup precheck.


> for plain cryptsetup:
> - make postcheck required, because IMHO it's impossible to check for  
> all filesystems out there + there combinations with raid/lvm/evms (if  
> no one is given complain loudly about this but do as the user said).
>    - if the postcheck succeeds everything is fine
>    - if the postcheck fails, abort (in interactive mode reask the pw  
> and retry).

i think that we cannot avoid a precheck. at least we should provide one
(for non-physical swap partitions, and for plain cryptsetup). we don't
need to activate it per default, but still we should provide it.
for example people could use their encrypted device in uncommon ways,
without filesystem, lvm etc. then a postcheck would be pretty useless.

> such a checksystem should be pretty robust against errors and don't  
> imply impossible actions.
> 
> what do you think about the ideas outlined above?

i like your ideas, with the following exceptions:

- swap devices which are not a physical partition need to be supported.
  thus, the check for partition type cannot be the only one for swap.
- prechecks for all filesystems need to be possible, for logical swap
  devices and for non-common plain cryptsetup devices.
- the default for swap should be improved according to the two other
  raised issues.
- the default for plain cryptsetup should be as you suggested, precheck
  is not default, but exists as a possible option.

if you agree with me, i'll update the checksystem_doc accodingly.

...
 jonas

More information about the Pkg-cryptsetup-devel mailing list