[Bug 432785] Re: add support to ecryptfs-setup-swap for keyed hibernation

papukaija 432785 at bugs.launchpad.net
Fri Oct 28 17:33:58 UTC 2011 

The possibility for LVM & LUKS encryption from Ubiquity is discussed at
https://blueprints.launchpad.net/ubuntu/+spec/foundations-o-ubiquity-
lvm-luks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubiquity in Ubuntu.
https://bugs.launchpad.net/bugs/432785

Title:
  add support to ecryptfs-setup-swap for keyed hibernation

Status in eCryptfs - Enterprise Cryptographic Filesystem:
  Triaged
Status in “ecryptfs-utils” package in Ubuntu:
  Confirmed
Status in “ubiquity” package in Ubuntu:
  Confirmed

Bug description:
  ecryptfs-setup-swap currently creates entries in /etc/fstab and
  /etc/crypttab for encrypted swap, in order to increase the security of
  systems using ecryptfs.

  However, in its current implementation, this breaks hibernation
  support in most cases.  The current implementation just creates a
  randomly generated key each boot for swap space.

  The advantage of this approach is that this allows the system to boot
  unattended, without prompting for a passphrase until system login
  screens.

  However, in the long term, we would like to eventually fix this
  problem, and cleanly support hibernation to encrypted swap.

  As I see it, there are a few approaches...

   1) configure encrypted swap using a single static passphrase stored
  in LUKS, which is required at system boot; this same passphrase would
  be required to resume the system; this breaks unattended boots, and
  requires all users on a system to share the same swap passphrase

   2) randomly generate the passphrase at boot, but wrap this passphrase
  using a pam module each time a user logs in (up to 7 different users),
  and stuff this wrapped passphrase in LUKS; this would allow any user
  who has logged into the system to resume it; each user would use their
  own passphrase to resume; and this would *not* break unattended boots

   3) create and setup a swap file at user login, rather than at boot,
  hook pam to put that passphrase into LUKS; no passphrase required
  until login; only one user really supported, which is perhaps okay for
  some laptop setups; no swap space available during boot, which perhaps
  isn't that big of a deal

  
  :-Dustin

To manage notifications about this bug go to:
https://bugs.launchpad.net/ecryptfs/+bug/432785/+subscriptions

More information about the foundations-bugs mailing list