[Bug 1766865] Comment bridged from LTC Bugzilla

bugproxy bugproxy at us.ibm.com
Wed Sep 5 07:59:45 UTC 2018 

------- Comment From heinz-werner_seeck at de.ibm.com 2018-09-05 03:53 EDT-------
Addl. information
You cannot encrypt the boot partition. -- After all, there must be code to open an encrypted partition
You can encrypt the root partition
in order to do so the code in boot partition must open the boot partition
i.e., the initrd or initramfs contains code to issue the cryptsetup open/luksOpen commands for the root partition before the chroot command
with LUKS/LUKS2 you must provide a pass phrase - on PCs that is asked for interactively  (possibly derived from the password) -- somehow Canonical does this with their Ubuntu distributions today
with protected keys crypto (PAES) - you need not protect a pass phrase. With dm-crypt plain mode you can use a secure key stored somewhere in the initrd/initramfs or with LUKS2 you can simply store the pass phrase in a file in the initrd/initramfs because the security of the disk key is protected by the HSM (CryptoExpress card)  and  does not depend on being wrapped by a secret pass phrase.
Note, before a system tries to use PAES it should verify that a CCA coprocessor (CEXnC adapter) is available.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1766865

Title:
  [18.10 FEAT] Installer support for protected key dm-crypt

Status in Ubuntu on IBM z Systems:
  Triaged
Status in debian-installer package in Ubuntu:
  New
Status in partman-crypto package in Ubuntu:
  New
Status in s390-tools package in Ubuntu:
  Fix Released

Bug description:
  Documentation regarding pervasive encryption is available on IBM knowledge center, for details see 
  https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lxdc_quick/lxdc_a_quick_linuxonz.html 
    
    ->  PDF file for Getting started with pervasive encryption
    ->  Prerequisites  
    These hardware and software components are required for implementing pervasive disk encryption.

   -> Creating and accessing an encrypted partition
   Setting up disk encryption entails generating secure keys and creating logical volumes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1766865/+subscriptions

More information about the foundations-bugs mailing list