Bug#397887: [Pkg-cryptsetup-devel] Bug#397887: resume support renders system unbootable

David Härdeman david at hardeman.nu
Sat Nov 11 12:39:43 CET 2006 

On Fri, Nov 10, 2006 at 01:43:05PM +0100, martin f krafft wrote:
>also sprach David Härdeman <david at hardeman.nu> [2006.11.10.1331 +0100]:
>> The hook should warn about these situations though and then skip
>> adding the resume partition details to the initramfs image...I'll
>> fix that
>
>That's what I meant. Thanks for reading through my blather.

Ok, I've committed fixes for both your bugs to the SVN repo. Could you 
please test the package? Either by downloading it from:

http://www.hardeman.nu/~david/cryptsetup_1.0.4-7_i386.deb

or, if you don't want to install deb's built by non-DD's, get the source 
yourself from the svn repo (svn://svn.debian.org/pkg-cryptsetup/)

>> On a related note, if you do want to be able to resume from swap
>> without needing extra passphrases, the solution that I spoke with
>> Erich about (which I have working locally) is to first setup the
>> root partition (using e.g. LUKS) and then derive a key for the
>> swap partition using a hash of the root partition key. This would
>> give the swap partition a static key which does not need to be
>> stored in the image, thus allowing (u)swsusp.
>
>Okay, but why a hash? Why not just the same passphrase then?

Two reasons:

1) Most importantly, I'm a lazy bastard. The easiest way to get the root 
   key from an independent script is to call "dmsetup table" which 
   provides the key as a hex-ascii string which would need to be 
   converted back to binary representation.

2) Paranoia, I'm not sure it's a good idea to have several pieces of 
   "known" source data (i.e. superblocks) encrypted with the same key. 
   Not something I can back up with any authority or research of course 
   :)

The script is very simple, I've attached it as an example. If you want 
to use it, just plop it somewhere (let's say under /root) and make it 
executable.

The change /etc/crypttab so that it says something like:
cryptroot /dev/hda1 none      luks
cryptswap /dev/hda2 cryptroot keyscript=/root/decrypt_derived,hash=sha256,size=256,cipher=aes-cbc-essiv:sha256

The keyscript will be copied into the initramfs image at creation time 
and after that you'll have a static key for swap without having to enter 
two passphrases.

I'm planning to commit it once I've written some more documentation for 
it (so it might be post-Etch).

-- 
David Härdeman
-------------- next part --------------
#!/bin/sh

if [ -z "$1" ]; then
	echo "$0: must be executed with a crypto device as argument" >&2
	exit 1
fi

if ! device=$(dmsetup table 2> /dev/null | grep "$1"); then
	echo "$0: failed to read device-mapper table" >&2
	exit 1
fi

if [ -z "$device" ]; then
	echo "$0: device $1 doesn't exist" >&2
	exit 1
fi

if [ "$(echo "$device" | wc -l)" -ne 1 ]; then
	echo "$0: more than one device match $1" >&2
	exit 1
fi


type=$(echo -n "$device" | cut -d' ' -f4)
if [ "$type" != "crypt" ]; then
	echo "$0: device $1 is not a crypto device" >&2
	exit 1
fi

echo -n "$device" | cut -d' ' -f6
exit 0

More information about the Pkg-cryptsetup-devel mailing list