Bug#782712: pre-upload unblock request: systemd/215-17 for RC bug #751707

Martin Pitt mpitt at debian.org
Thu Apr 16 20:53:55 BST 2015


Hello Cyril,

Cyril Brulebois [2015-04-16 19:40 +0200]:
> Anyway, asking for home encryption indeed leads to swap encryption,
> through a ecryptfs-setup-swap call, which in turn triggers:
> |        echo "cryptswap$i UUID=$uuid /dev/urandom swap,offset=1024,cipher=aes-xts-plain64" >> /etc/crypttab
> `---[ src/utils/ecryptfs-setup-swap ]---
> 
> The same file in the Debian package has no offset, so I guess that means
> Debian is rather safe.

Well, it actually means that it's even more broken :-( If you don't
specify an offset at all, then you can only boot this system once.
Then your partition will be overwritten with random data entirely, and
the next time you won't have any matching UUID any more, and you again
get a hanging boot (this affects sysvinit and upstart too). I. e. you
will have exactly the same effect.

So to properly fix this, we need:

 (1) the fix to add the offset=:
     https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/840

     (Updating the used cipher would also be a good idea, but not
     essential)

     This fix alone is sufficient under sysvinit and upstart.

 (2) this systemd fix to actually respect offset= when booting under
     systemd.

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20150416/84dd1a5a/attachment-0002.sig>


More information about the Pkg-systemd-maintainers mailing list