encrypted swap

[David Mandelberg]

John Richard Moser wrote:
> Modify ubuntu's boot scripts so that before swap is activated, something
> like /etc/crypts.conf is read in.  If there's a cryptoswap in there,
> appropriate swap encryption can be done.
No need to do that, cryptsetup comes with a functional init script.

> Here's an example of me doing encrypted swap manually:
> 
> # swapoff /dev/hda2
> # cryptsetup -d /dev/random -s 256 create swap /dev/hda2
> # mkswap /dev/mapper/swap
> # swapon /dev/mapper/swap
That's done by the cryptsetup init script.

> This means of course that you lose verification; swapon normally looks
> at vfat, reiser, ext2, etc and goes "Uh.  That's not swap space."
This is currently only a problem if somebody is using from a usb drive or
something similar for swap and they add a scsi drive, changing the device names.
(If the root partition is also on the usb drive it wouldn't matter because the
system would become unbootable anyway). The only way I can think of to fix that
is modify the udev rules to make usb mass storage devices not look like scsi
devices, which shouldn't be very hard.

> You don't even really need an initrd to do this unless you're doing this
> to /.  An encrypted / can only be done from initrd :)
I wasn't planning on changing the d-i initrd or the linux-image-* initrd's.


-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GAT/CM$/CS>$/CC/IT$/M/S/O/U dpu s+:++ !a C++$>C+++$
UB+++>++++$L++++$*-- P+>++$ L+++(++++)$ E-(---) W+++>$ N(+) o? K-
w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)>$ t? 5? X? R tv--(-)
b++(+++)@ DI? D? G e->++++ h* r? z*
------END GEEK CODE BLOCK------

David Mandelberg
mandelbergd at eth0.is-a-geek.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050106/eaa18989/signature.pgp