Re: Linux distro w/loop-aes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



> Max Vozeler wrote: 
> Yes, unfortunately the packages in Ubuntu are not in a good state.
> I can only give an "outsiders" view of why that is: The loop-AES
> packages live in the "universe"-component of Ubuntu which is community
> maintained and usually imported from Debian unstable at some point
> during development of an Ubuntu release. From my perspective as Debian
> maintainer, this point is fairly arbitrary. 

In fact Debian has the more proper packages! Over the recent days I did some review on Debian 4.0 (etch) and Canonical´s 7.10 Kubuntu named "gusty gibbon". To my surprise etch comes along with an installer that offers loop-aes and also device-mapper encryption in various ciphers. Tribe-1 of Kubuntu 7.10 doesn´t include such fancy things but the installation is very simple!
So now to the points which hurt. For both distros loop-aes modules are available and KNOPPIX 5.2 even ships with them. The point is that their kernels are unsuitable to boot from USB memory.
What is loop-aes for you? Some people think the job is done when you are able to handle encrypted partitions. Almost any newer distro can do this. Others look for root encryption with an unencrypted /boot partition. Only etch can currently provide this directly from the installer. SuSE, Ubuntu and others require finishing touches. Since mainboards can boot from removable USB memory I thought it is a good idea to spare the unencrypted /boot partition and remove even the last traces from every disk. Not a single installer can do this today - and it will remain like this.
Reasons are:
Installers create partitions which skip space at the beginning and end of a hard drive. The first 512 bytes are occupied by master boot record and partition table. This data betrays that I actually store data here and reveals positions. Due to filesystem conventions there remains some cut-off at the end of the drive. Once I am done with a system disk there is no partition table left over and no space before the beginning of a first partition wasted. When issuing "less -f /dev/sdX" there has to come up nothing else but randomly looking data, from the first to the very last sector. Such a drive looks no different from a drive where "dd if=/dev/urandom of=/dev/sdX" has been run.
Regarding kernels I would like to add that none of them has usbcore built-in which is definitely required to boot from USB memory. For standard distros it would make no sense to build this module into the kernel. That´s why installable modules will never do the job.


> I usually learn about the versions imported from Debian as soon
> as someone notices a problem with the version included in an Ubuntu
> release. It has happened that a comparably minor bug (but one that
> affected usability of the package strongly) was included in an Ubuntu
> release, although it was documented in the Debian bugtracking system
> and already fixed by a newer version. So what seems to me is missing
> is a dedicated maintainer who actually uses loop-AES and checks for
> bugs, usability and does general QA of the Ubuntu versions of the
> loop-AES packages before they get released.

Interesting to see your perspective of this issue. I knew you are a package maintainer but I do not entirely understand how ubuntu and debian sit together. Ubuntu documentation disadvises the installation of debian packages. In case of aespipe and gnupg there is not hint whether the binaries are linked statically or not. You know you need them linked statically for use in root encryption. However this is not a bug! I just doesn´t fit a special purpose. Because of this I wouldn´t look for precompiled packages any further. I took the kernel-source and other source code to build everything just as I did under SuSE before. This led to a working kernel up to the point where the password is asked.
With regard to your work I would say it definitely helps users to have packages which provide access to encrypted partitions. This would allow for encryption CDs/DVDs and non-system partitions without kernel manipulation. To my knowledge KNOPPIX and Debian provide this, Ubuntu is very close to it.
As you are interested in feedback I fear there are too few users occupied with this issue. Even I had problems in describing where my work failed.

 
> Even if you didn't mean to criticise, I think construtive criticism
> can be very important. :-) To improve the state of loop-AES in Ubuntu
> it would be useful to provide feedback (bug reports, etc.) to the MOTU
> Team, who AFAIK take care of packages in the "universe" component. I'm
> not actually involved in Ubuntu development, but if I can help someone
> adapt the Debian packages to Ubuntu and fix problems, share experience,
> etc, I would be happy to help. I just cannot really take care as
> maintainer for another distribution.

Well I am far from criticizing people who spend their time on providing free software. On this forum I just ask for help from time to time. Non of the distros was ever said to provide full disk encryption. I suppose nobody would waste his time to write an installer that sets up a distro without partitions only because of I fear to leak information about where my files may sit. My hope is simply to have distros in reach that are suitable for manipulating them in the desired way. Some SuSE distros cam with kernels that didn´t compile after my reconfiguration. I had to ask questions here to get it done.
By the way, I lost a gusty-gibbon installation because the NVIDIA graphics driver turned out to be the wrong module. On SuSE I would correct it with "sax2" but for ubuntu I simply don´t know the right command:-(

So thank you for all your efforts. We will benefit from advances in debian as well as any other distro.


Kind regards,
Peter
-- 
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten 
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/


[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]