Crypto made easy for Breezy?

Ilkka Tuohela hile at
Sat Jun 11 02:50:35 CDT 2005

to, 2005-06-09 kello 23:35 +0200, Christian Bjälevik kirjoitti:
> On tor, 2005-06-09 at 13:57 -0700, Karl Hegbloom wrote:
> >
> > -- 
> Breezy g-v-m has support for LUKS already. Using pmount as it's backend.
> The luks-tools sure look like something we can have use for though.

One thing I would like to see as well is support for encryption from
install CD, allowing encryption of / and swap partitions: probably 
these should be LUKS-format by default, just to make things uniform
and to get LUKS multiple keys support and other benefits available.

I think this is what we need for d-i support of encrypting system
partitions and swap:
- cryptsetup-luks udeb for d-i, cryptsetup-luks to the default 
  initrd for mounting / and cryptoswap (hibernation)
- Integrate LUKS-encryption support and dialogs with partitiing dialogs

And some more interesting options to installer:
- Implement /etc/keys/foo.key partition key automatic creation and usage
  support, when there are separate / /usr etc. partitions and / is 
  encrypted: if someone gets to a live ubuntu with root permissions the
  game is over already, it does not matter if you can see encryption 
  keys for already mounted partitions (note that we don't maybe want all
  partitions automounted, maybe there could be a /work partition which 
  is only mounted when required)
- for branded systems, it would be nice to be able to set up the branded
  cd to create random backup keys automatically, encrypting these keys
  with the 'brand' pgp-key and send the encrypted key file to a certain 
  mail address when system is connected to 'net: here I'm thinking 
  about corporate usage where access to encrypted laptops installed 
  by personnel who can't access the system anymore for some reason  
  could be automated this way securely. This needs basically a hook in
  encrypted installer which allows easily adding such scripts to be 
  added if required.

BTW, I'm right now using encrypted / /usr /var /tmp /home partitions
setup with encrypted swap, everything works perferctly including 
hibernation (you need to give cryptoswap passphrase to wake up from
hibernation). It was just a PITA to set up, that's why I would like to
see installer support.


More information about the ubuntu-devel mailing list