Re: Linux distro w/loop-aes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi Peter,

> In fact Debian has the more proper packages! Over the recent days I
> did some review on [...] Canonical´s 7.10 Kubuntu
> named "gusty gibbon". [...] Tribe-1 of Kubuntu 7.10 doesn´t include
> such fancy things but the installation is very simple! So now to the
> points which hurt. 

I don't take a look to ubuntu 7.10 yet, because it is still beta or
even alpha. But I'm familiar with ubuntu 7.04 and earlier. So I don't
know, if my comments apply to 7.10.

The installer is for people without deeper knowledge of linux. If you
want to use encryption (dmcrypt only, because loop-AES isn't avaiable
on the live-CD or repositories), you can boot from live-cd,
create your encrypted devices on the shell, and then tell the installer
to use this devices. The installer will just report an error, when it
tries to install the boot-manager. You have to do this yourself,.... But
anything else seems to work fine,... (Of course, you have to chroot to
the new system and customize it before the first boot. But there are
just a few things to do,....)
If you want to use loop-AES, you can boot from knoppix-cd, create
the encrypted devices and then install ubuntu via debootstrap and
chroot. But I wouldn't do it that way, because there are too many
things, you have to configure by hand,... It's easier to install Ubuntu
in the normal way and then encrypt the devices with aespipe,....

> For both distros loop-aes modules are available and

The last time, I checked it, Ubuntu's loop-aes package just provide
cryptoloop functionality. It don't include multi-key support or
something like this. 

> KNOPPIX 5.2 even ships with them. The point is that their kernels are
> unsuitable to boot from USB memory. 
..
> Regarding kernels I would
> like to add that none of them has usbcore built-in which is
> definitely required to boot from USB memory.

That's wrong. You can boot from USB-Memory in Ubuntu without any
problems. You must create an inital ramdisk with initramfs-tools,
install syslinux on your usb-stick and copy the kernel, the initial
ramdisk and your syslinux.cfg to your stick. That's all. And you have
to create an initial ramdisk in any case, if you want to use full-disk
encryption,.... 
There are three files, you need to modify/create:
[1] /etc/initramfs-tools/modules (for the modules that you want to
include in your initramfs (loop) )
[2] /etc/initramfs-tools/hooks/namedoesntmatter (for the programms that
you want to include in your initramfs (gpg,losetup,...))
[3] /etc/initramfs-tools/scripts/local-top/namedoesntmatter (an script
to set up your encrypted devices) See 'man initramfs-tools' for
details. You don't need the "build-initrd.sh" from loop-AES. 


> You know you need them linked statically for use in root encryption.

No, I don't think so. You only need it, if you follow exactly the steps
in the README.

The only thing missing in Ubuntu is an loop-AES package, that replaces
the original loop module and supports multi-key mode. Everythings
else works fine. If such an package would be avaiable, you could
install loop-AES in analogy to dmcrypt. It is'nt very difficult to
create your encrytped device on the shell from the live-cd and then tell
the installer to use this devices.
And the scripts in /etc/initramfs-tools/* are very small and easy to
understand. Everyone, who is familiar with the shell and has some
basic linux knowledge, could easily setup a system with root encryption
from live-CD.


cu,
 Rudi

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/



[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]