add installer support for dm-crypt on root
would be nice if the installer:
a) could setup a boot partition and a root with dm-cypt.
b) not create a swap partition instead add a swapfile to the root partition (so it is also
crypted and more flexbile - can be resized easily)
c) maybe add software suspend 2 to the kernel which can work fine with all this (swapfiles, encrypted root, ...)
d) modify initramfs to have scripts that ask for password etc.
implementation notes:
the lrw implementation in linux kernel can't be used for some reason, so essiv is the best encryption mode. "plain" is compatible to older crypto loop but not as secure.
do not hash a password and use as crypto key. that way the password can't be changes. instead use some random bytes as crypto key, and add those random bytes encrypted with a passphrase to the initramfs. (or use luks if you prefer. but with this option the key could be stored also on a smart card, with luks that would be possible).
Blueprint information
- Status:
- Complete
- Approver:
- Scott James Remnant (Canonical)
- Priority:
- Undefined
- Drafter:
- Martin Pitt
- Direction:
- Needs approval
- Assignee:
- Colin Watson
- Definition:
- Drafting
- Series goal:
- Proposed for gutsy
- Implementation:
-
Implemented
- Milestone target:
- None
- Started by
- Colin Watson
- Completed by
- Colin Watson
Whiteboard
pitti: tentatively setting Assignee to cjwatson, since this is by and large an installer change. Most of the work is already done in Debian, though.
2007-10-12 kamion: This is in place in Gutsy now.
