Improve support for encrypted file systems

Registered by Martin Pitt

The Gutsy Gibbon Alternate installer introduced the possiblity to configure encrypted devices (with cryptsetup/LUKS and dm-crypt) and offers a standard partman recipe ("Use entire disk with encryption"). For Hardy we want to review how we can improve this, in particular:

 * Provide support for it in ubiquity
 * Offer encryption support for autoresizing and "automatically partition free space" modes, too.
 * Consider support for key files (on USB sticks, etc) instead of/in addition to passphrases.

Blueprint information

Scott James Remnant (Canonical)
Martin Pitt
Needs approval
Series goal:
Accepted for hardy
Not started
Milestone target:
Completed by
Martin Pitt


pitti, 2007-11-13: Evan, Colin, Reinhard, can you please read the current spec and give some review feedback? TIA
evand, 2007-11-13: Looks good wrt Ubiquity.
siretart, 2007-11-16: looks great!
keybuk, 2007-11-20: Pending Approval - want colin to have a quick read first
kamion, 2007-11-20: I'm good
keybuk, 2007-11-22: Changed assignee to evan since the bulk of the work will be his, and it makes more sense for him to get pitti to fill in the other bits and chase -- than it does for pitti to chase evan
nigelr 2008-01-20: The current installer doesn't support AES-LRW mode, which is probably the best scheme available at the moment. Any methods for setting up encryption during install should offer this as the (default) option.
RvD 2008-02-03: Actually, LRW falls back to ECB-'security' when the encryption key is stored plain on the partition encrypted with it (crypto-swap with working hibernate)
Thus, AES-XTS is the new secure standard - and implemented in 2.6.24, too.

2008-12-15 pitti: obsoleted by encrypted-home-directory, ecryptfs is more suitable on desktops.
2012-06-28 xnox: obsoleted by ongoing work on LUKS/LVM ubiquity spec, if there is anything else left here, open wishlist bugs against correct packages.


Work Items