[Pkg-cryptsetup-devel] Bug#371135: An alternate proposal
Daniel Kahn Gillmor
dkg-debian.org at fifthhorseman.net
Sat Jun 17 16:02:08 UTC 2006
Thanks for the interesting discussion, all! Crypted swap with
randomly-generated keys *is* useful. But it's also a fundamentally
dangerous operation, and hard (if not impossible) to protect against
user error in an automated way.
Here's an alternate proposal: leave all of the initscripts as they
stand, and for folks who want to use a crypted swap (or tmp?) device
with a random key, suggest that they append "check=/bin/true" to their
option list in /etc/crypttab.
For example:
[0 dkg at squeak ~]$ grep swap /etc/crypttab
cswap /dev/mapper/squeak0-swap /dev/random swap,check=/bin/true
[0 dkg at squeak ~]$
"check=/bin/true" basically says "take off the seatbelts! i know what
i'm doing!", and it needs to be *after* the swap option (otherwise the
swap declaration will reassert the vol_id check, i think).
Pointing out this explicit workaround for this corner case might be a
simpler and safer approach than trying to automate detection of it.
The extra option is also a good reminder for sysadmins attempting this
to triple-check the fields on that particular line before trying to
activate it.
fwiw, this is the approach that i'm using on a couple machines now,
and it Works For Me (tm).
Thanks for all the thought and sweat that's gone into cryptsetup.
It's a very useful tool.
--dkg
More information about the Pkg-cryptsetup-devel
mailing list