Bug#849400: debian-installer: LUKS on rootfs and boot

2018-06-21 Thread Nathan Schulte 
This problem still persists, on DI Buster Alpha 2 and Alpha 3. Working
around this even as an expert is rather cumbersome; one has to play
with the various menu options, partially configuring disks/partitions
etc., to load the necessary cryptsetup components (and dependencies,
like awk for decrypt_derived script), and it cannot be completed via
the installer.

As the submitter notes, having /boot on an encrypted (LUKS) partition
_is_ supported by GRUB and the other softwares.  Simply making
"continue" not do the same as "go back," as was originally suggested,
would be a big improvement.  Without this, one has to setup with an
unencrypted /boot, and then use rescue mode or other knowledge to
encrypt /boot and finalize the setup.  I found no way to proceed to
install with /boot being encrypted.

--
Nate

Bug#788227: add 512 bit key-size for AES (XTS-AES)

2015-06-09 Thread Nathan Schulte 

Package: partman-crypto
Version: 82

This report is to request (with patch) allowing 512 bit key-size when 
using XTS-AES for disk encryption (via the xts-aes-plain64 cipher). 
This started as a query to the mailing list (which seems useless, by the 
way) which is CC'd.


--

On 05/26/2015 02:09 PM, Nathan Schulte wrote:

As it stands, it appears the installer requires you to create a
partition table on the Encrypted Volumes and does not allow using the
entire device alone.  I believe this feature was available in the past,
though I could be mis-recalling.  Either way, I was able to do this in
the past and I'm pretty sure I haven't forgotten anything about what I
did.


After much trial and error, I was able to get this working with a rather 
simple procedure:


partman (or the step just prior) will detect and list open LUKS devices 
if setup (manually) before entering the wizard.  The display is a bit 
misleading, as partman shows the encrypted volumes as having a single 
partition, but in this mode it does not create a partition table as you 
would have to do should you choose to use the partman wizard to create 
the encrypted volumes.



On a related note, I believe the partman-crypto part of the partitioner
should allow for selecting 512 bit key sizes, as the default cipher
(aes-xts-plain64) effectively halves the chosen key size.  This ought to
be a straight-forward patch.


This is an extremely simple patch, which is attached.  The comment is of 
interest, however:



add 512 bit key-size for AES (XTS-AES)

the aes-xts-plain64 cipher effectively halves the chosen keysize due to
keysplitting used in the algorithm.  Thus, choosing a 256 bit key-size
does not lead to AES 256 encryption but AES 128 instead.

There's probably a better way to convey this to the user, as they'll need
to be vigilant in order to make use of this.  As well, it may be wise to
default to 256 bit key-size in the UI, and I believe this change will
cause the default selection to be 512.


--
Nate
From 5af2b9ccc99a8f1cf3be62ff3faea37f2785a480 Mon Sep 17 00:00:00 2001
From: Nathan Schulte nmschu...@gmail.com
Date: Tue, 9 Jun 2015 09:46:53 -0500
Subject: [PATCH] add 512 bit key-size for AES (XTS-AES)

the aes-xts-plain64 cipher effectively halves the chosen keysize due to
keysplitting used in the algorithm.  Thus, choosing a 256 bit key-size
does not lead to AES 256 encryption but AES 128 instead.

There's probably a better way to convey this to the user, as they'll need
to be vigilant in order to make use of this.  As well, it may be wise to
default to 256 bit key-size in the UI, and I believe this change will
cause the default selection to be 512.
---
 ciphers/dm-crypt/aes/keysize | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ciphers/dm-crypt/aes/keysize b/ciphers/dm-crypt/aes/keysize
index ab43da4..be82d8d 100644
--- a/ciphers/dm-crypt/aes/keysize
+++ b/ciphers/dm-crypt/aes/keysize
@@ -1 +1 @@
-256 192 128
+512 256 192 128
-- 
2.1.4

partman[-crypto/-lvm]: Use entire Encrypted Volume as file system

2015-05-26 Thread Nathan Schulte 
I'm wishing to use Debian-Installer to create a Debian (testing) 
installation with a full disk encryption scheme where the root partition 
is a file system directly atop the dm-crypt device.


As it stands, it appears the installer requires you to create a 
partition table on the Encrypted Volumes and does not allow using the 
entire device alone.  I believe this feature was available in the past, 
though I could be mis-recalling.  Either way, I was able to do this in 
the past and I'm pretty sure I haven't forgotten anything about what I 
did.  I'm thinking recent changes to partman-lvm (as you cannot use 
crypto with guided partitioning without LVM) might have made this 
feature go away, but I have no specifics to point at (though I'd start 
with some of the loop device based logic, given a perusal of the bug 
reports).


Anyway, even if I cannot achieve these results with partman, I'm 
wondering if I can do this all manually via the CLI and effectively 
bypass the partman part of the process (rather than creating my own 
.udeb to do the work for me).  I believe all I need to do is:


1) Setup encryption and file systems to my liking.
2) Mount the file system hierarchy under /target.
3) Create /target/etc/fstab and /target/etc/crypttab.
4) Kick-off the regular bits after partman.

Is the above correct?  Is step #4 as simple as choosing the next step 
from main-menu?


On a related note, I believe the partman-crypto part of the partitioner 
should allow for selecting 512 bit key sizes, as the default cipher 
(aes-xts-plain64) effectively halves the chosen key size.  This ought to 
be a straight-forward patch.


Thanks,

--
Nate


--
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5564c500.8050...@gmail.com