[Pkg-cryptsetup-devel] Re: Status of partman-crypto

Max Vozeler max at nusquama.org
Mon Mar 6 16:22:10 UTC 2006 

On Thu, Mar 02, 2006 at 04:31:03PM +0100, Frans Pop wrote:
> On Wednesday 01 March 2006 16:53, Martin Michlmayr wrote:
> > What's the status of partman-crypto?
> 
> http://wiki.debian.org/DebianInstaller/PartmanCrypto
> 
> It was also discussed in:
> http://people.debian.org/~bubulle/d-i/irc-meeting-20060128/log

I meant to reply two days ago, but then got distracted :-)

Here is a rough overview of the current status and my plans for
it. I'm CCing cryptsetup maintainers to ask if you guys would
be interested in helping with LUKS support in partman-crypto -
please see below for more about this.

  1. loop-AES support 

     This is blocked by availability of uuencode (busybox-udeb)
     and gnupg udebs.
     
     The lack of uuencode can be worked around without too much
     difficulty by making partman-crypto Arch: any and including
     a minimal base64 encoder in the package. While not as elegant
     as using uuencode from busybox-udeb, it could be done. waldi
     has sadly (for me) not commented on the information I 
     provided in bug #323436, so I'm not sure how to go forward.
     
     Lack of gnupg-udeb is more of a blocker, but I'm still 
     optimistic that the maintainer will find time to consider 
     building the udeb if the situation (and blocking nature) is 
     explained. I had not gotten around to this, but I have now 
     mailed him again, hoping to learn what he thinks.

     In summary, loop-AES support is not functional without
     packages from outside the archive. It can exist as an
     external build of the installer for now. This does not 
     impede support for cryptsetup-luks and work could go on
     in that direction in the meantime.

  2. cryptsetup-LUKS support

     Work has not started on this yet. 
     
     My estimation is that it won't be difficult to get working.
     I don't have much experience with cryptsetup and don't know
     enough about what are considered best practices, so I've not
     started to work on this myself. I would be very happy to join
     forces with people knowlegeable about it and extend/change
     partman-crypto and get it working.

     This is a call and offer for help with LUKS :-) Please get 
     in touch if you are interested. It would be great to have a
     chat about how this support would look. Since I have some 
     free time in the next weeks, I'll start to look into this 
     and send lots of questions to cryptsetup maintainers :-)

  3. Random sources for key generation.
     
     For loop-AES it is essential that we have a good source of
     entropy to allow us to extract the required amount of random
     key data from /dev/random in finite time. Currently the low
     amount of entropy inside d-i makes the key generation block 
     for a long time. (I'm not sure how important this point is 
     for key generation in LUKS setups.)

     The plan here is to solicit input from people who maintain
     packages related to entropy gathering in Debian, and find a 
     solution that will make the key generation less painful. This
     may be possible to do by having a daemon like rngd that is fed
     from hardware rngs, audio-entropyd, video-entropyd and other
     potential sources depending on their availability.
     
     People I plan to contact here are hmh and fw (@d.o). I hope 
     to get around to sending them information and questions about
     this in the following weeks.

The wiki page is a little outdated, I'll update it with this
information later.

cheers,
Max

More information about the Pkg-cryptsetup-devel mailing list