[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: crypto-root-fs via debian-netinst.iso (dailybuild) ? - NOT YET -

To: reverend@xxxxxxxxxxxxx
Subject: Re: crypto-root-fs via debian-netinst.iso (dailybuild) ? - NOT YET -
From: Max Vozeler <max@xxxxxxxxxxxx>
Date: Tue, 1 Aug 2006 10:00:18 +0200
In-reply-to: <N1-umnGgAfr1G@Safe-mail.net>
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:ecartis@nl.linux.org?Subject=help>
List-id: <linux-crypto.nl.linux.org>
List-owner: <mailto:ecartis-owner@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
Mail-followup-to: max@nusquama.org
References: <N1-umnGgAfr1G@Safe-mail.net>
Reply-to: max@xxxxxxxxxxxx
Sender: linux-crypto-bounce@xxxxxxxxxxxx

Hi Reverend,

On Tue, Aug 01, 2006 at 03:16:10AM +0200, reverend@xxxxxxxxxxxxx wrote:
> What I, Reverend, experienced (01.Aug.2006):
> 
> I tryed the newest iso's from the 28. and 31.July 2006 to get  strong root-fs-
> encryption with dm-crypt or loop-AES.-

Thanks for your feedback. As advance warning, please note that
the crypto support in debian-installer [0] is still pre-beta and
may not work as expected / at all. You did see the big warning
screen, right? ;-)

> 2.) You than want to partition with crypto-features and than manage the partitions
>      with format, Mountpoints, etc..
>      I tryed 8 to 10 times to found a way to partition AND manage the partitions
>      but I could only do once. If I choose what looks like encryption, than the
>      Mountpoints where not there, unreachable to me, or I could reach and set
>      the Mountpoints and could not encrypt anything.

Agreed that this is not ideal from a usability point of view.
The installer currently treats setting up encrypted block devices
(which you do when you chose "physical volume for encryption")
and actually using the encrypted block devices (setting
filesystem, mountpoint, etc.) as two separate steps. You need to
first setup the encrypted block device, then select "Configure
encrypted partitions".

This is explained in the Installation Guide[1], btw.

> 3.) If you choose loop-AES, what I did several times and you go the sensless
>      way of encryption without Mountpoints, you reach the point where you
>      must strike the keyboard (not mouse) maybe thousands of time to get, what
>      looks to be the /dev/random-reservoir for the gpg-key to make.
>      After 10 minutes or so the responsible menupoint crashes without warning,
>      I tryed this about 5 times.

Thousands of times sounds about alright. 

You must realize that in the installer, there is very little in
the way of unpredictable events up to the point where we need to
generate the encryption keys. Depending on the installation
method, we have either a) some access to CDROM or floppy, b) USB,
c) net access. Which of those contributes to the kernel entropy
pool is also hardware dependent, because different drivers in
Linux treat system events differently -- some may consider disk
access very "entropic", others not so much. 

Overall the events in the installer leading up to key generation
do not provide enough input to the kernel entropy pool to allow
extraction of the 2925 bytes we need foreach loop-AES key, and so
you are asked to "please bang on the keyboard like a monkey" ;-)
until the pool gets enough input.

We have considered different ways of helping to speed up this
process, but it is a difficult process. In the graphical version
of the installer, once supported, for example mouse events will
contribute as you suggested. Then some systems may have hardware
RNGs that we could use -- but those can be of different quality,
so some people explicitly recommend against using them directly
for key generation. So ... this obviously needs more work.

About the crash in this menupoint, can you describe in more
detail exactly when/how it crashes. What happens after it has
crashed ? Does the installer "hang", or does it continue? 
How much memory does this system have?

> I am waiting for newer netinst.iso's to come and will report if usefull.

Please do. We expect to release a beta3 of the installer shortly,
although there are still some known problems in the crypto
support.  We're planning to announce the installer more widely
once we have given it more testing and expect it to work
correctly. You are more than welcome to test before then, but
please beware that you are essentially testing a development
snapshot -- don't be surprised by random breakage.

cheers,
Max

-- 
[0] http://wiki.debian.org/DebianInstaller/PartmanCrypto
[1] http://d-i.alioth.debian.org/manual/en.i386/ch06s03.html#partman-crypto

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

References:
- crypto-root-fs via debian-netinst.iso (dailybuild) ? - NOT YET -
  - From: reverend

Prev by Date: crypto-root-fs via debian-netinst.iso (dailybuild) ? - NOT YET -
Next by Date: Re: crypto-root-fs via debian-netinst.iso (dailybuild) ? - NOT YET -
Previous by thread: crypto-root-fs via debian-netinst.iso (dailybuild) ? - NOT YET -
Next by thread: Re: crypto-root-fs via debian-netinst.iso (dailybuild) ? - NOT YET -
Index(es):
- Date
- Thread