Crypto made easy for Breezy?
Ilkka Tuohela
hile at nixu.com
Sat Jun 11 02:50:35 CDT 2005
to, 2005-06-09 kello 23:35 +0200, Christian Bjälevik kirjoitti:
> On tor, 2005-06-09 at 13:57 -0700, Karl Hegbloom wrote:
> > http://www.flyn.org/easycrypto/easycrypto.html
> > --
> Breezy g-v-m has support for LUKS already. Using pmount as it's backend.
> The luks-tools sure look like something we can have use for though.
One thing I would like to see as well is support for encryption from
install CD, allowing encryption of / and swap partitions: probably
these should be LUKS-format by default, just to make things uniform
and to get LUKS multiple keys support and other benefits available.
I think this is what we need for d-i support of encrypting system
partitions and swap:
- cryptsetup-luks udeb for d-i, cryptsetup-luks to the default
initrd for mounting / and cryptoswap (hibernation)
- Integrate LUKS-encryption support and dialogs with partitiing dialogs
And some more interesting options to installer:
- Implement /etc/keys/foo.key partition key automatic creation and usage
support, when there are separate / /usr etc. partitions and / is
encrypted: if someone gets to a live ubuntu with root permissions the
game is over already, it does not matter if you can see encryption
keys for already mounted partitions (note that we don't maybe want all
partitions automounted, maybe there could be a /work partition which
is only mounted when required)
- for branded systems, it would be nice to be able to set up the branded
cd to create random backup keys automatically, encrypting these keys
with the 'brand' pgp-key and send the encrypted key file to a certain
mail address when system is connected to 'net: here I'm thinking
about corporate usage where access to encrypted laptops installed
by personnel who can't access the system anymore for some reason
could be automated this way securely. This needs basically a hook in
encrypted installer which allows easily adding such scripts to be
added if required.
BTW, I'm right now using encrypted / /usr /var /tmp /home partitions
setup with encrypted swap, everything works perferctly including
hibernation (you need to give cryptoswap passphrase to wake up from
hibernation). It was just a PITA to set up, that's why I would like to
see installer support.
*hile*
More information about the ubuntu-devel
mailing list