[pkg-cryptsetup-devel] Bug#587222: Bug#587222: cryptsetup does not/cannot close dm-crypt devices, if root-fs is on it, but does also not warn about it

[Jonas Meurer]

Hey Milan,

On 27/06/2010 Milan Broz wrote:
> On 06/27/2010 12:34 AM, Jonas Meurer wrote:
> >Milan, if you're reading this: does luksSuspend work for plain dm-crypt
> >devices as well?
> 
> yep, I am reading this just have no time to respond to all of these Debian reports:-)

quite understandable. just don't reply if you don't have the time to do
so ;-) it would be great if you could help with upstream issues (i.e.
#586120, #584174, #586286) and i'll try to cope with the remaining,
distro-specific issues. you already do a great job at maintaining
cryptsetup!!!

> You cannot use luksSuspend for plain device, but you can use dmsetup.
> 
> I described this long time ago here (probably before luksSuspend was even implemented)
>  http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/2859
> 
> Maybe I can add some "kill key" for plain device command to cryptsetup?
> 
> (The problem is that in LUKS you can check that calculated key is correct,
> so luksResume is possible. In plain crypt device you are simple providing key
> so there cannot be perfect equivalent of Resume - any key will fit and if
> it is not correct, you data will be corrupted later.)

i'm not sure whether wiping the key at shutdown process is a good idea
at all. properly removing/luksClosing should work on clean setups, and
force-wiping the key could lead to data corruption if i got it right.
thus a clear warning that remove/luksClose failed is my favourite.

greetings,
 jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20100627/ce37c0e7/attachment.pgp>