Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic:  Caution for LUKS encrypted partitions  (Read 16196 times)

Offline Lanzi

  • User
  • Posts: 1.777
Re: Caution for LUKS encrypted partitions
« Reply #30 on: 2014/11/13, 16:14:25 »
@Bluelupo: steht oben direkt über deinem Posting unter "My Crypttab"


Offline bluelupo

  • User
  • Posts: 2.068
    • BluelupoMe
Re: Caution for LUKS encrypted partitions
« Reply #31 on: 2014/11/13, 19:51:18 »
@Lanzi: Hast du jetzt aktuell noch ein Problem mit den verschlüsselten Disks, das geht aus den Postings nicht so deutlich hervor?

Offline Lanzi

  • User
  • Posts: 1.777
Re: Caution for LUKS encrypted partitions
« Reply #32 on: 2014/11/13, 21:14:00 »
ja, massiv! Es wird tendenziel immer noch schlimmer!

Habe jetzt mal plymouth installiert, aber noch nicht neu gestartet. Habe momentan nicht die Zeit, und lasse alles laufen.
evtl. morgen.
Melde mich dann!

Vielen Dank!

Offline Lanzi

  • User
  • Posts: 1.777
Re: Caution for LUKS encrypted partitions
« Reply #33 on: 2014/11/14, 15:41:32 »
One question before I reboot: installing plymouth removed console-common. Is that okay? I do not want a unbootable system ;-)

nadar

  • Guest
Re: Caution for LUKS encrypted partitions
« Reply #34 on: 2014/11/17, 20:17:21 »
so if the behaviour not change after the update i would suggest to examine the working and not working initrd's - unpack and diff them may be a good idea. Only a wild guess, eventually one should add a few modules to grub too with the new initramfs-tools.

Im Anhang ein Screenshot von tkdirdiff, das die Initrds von 3.15-7, 3.16-3 und 3.17-3 vergleicht.
Der in allen außer 3.15.7 fehlende Ordner lib/cryptsetup enthält das Binary askpass.
3.15-7 ist mein letzter funktionierender Kernel, 3.16-3 und 3.17-3 funktionieren nicht.

Here is a screenshot of tkdirdiff comparing the Initrds of 3.15-7, 3.16-3 and 3.17-3.
The missing folder lib/cryptsetup in all except 3.15.7 contains the Binary askpass.
3.15-7 is my latest working kernel, 3.16-3 und 3.17-3 don't boot.

hth debugging
« Last Edit: 2014/11/17, 20:25:52 by nadar »

Offline bluelupo

  • User
  • Posts: 2.068
    • BluelupoMe
Re: Caution for LUKS encrypted partitions
« Reply #35 on: 2014/11/17, 21:04:15 »
@nadar, hast du deine Erkenntnisse in einem Bugreport gemeldet? Ich denke das ist eine wichtige Information für die Entwickler von LUKS/dm-crypt.

---

@nadar, you have reported your findings in a bug report? I think this is important information for developers LUKS / dm-crypt.
« Last Edit: 2014/11/18, 13:42:01 by bluelupo »

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: Caution for LUKS encrypted partitions
« Reply #36 on: 2014/11/17, 21:39:39 »
hmm - one could add the missed binary and all things are ok - but i consider it a major bug with the new initramfs-utils - and this information should be a grave bug against initramfs-utils - if not there right now.
----
Nadar, wenn das noch niemand getan hat, würde ein Bugreport gegen initramfs-utils oder wie die Dinger auch heissen, sehr hilfreich sein. für die Zeit bis zum fix kannst Du natürlich das askpass auch der initrd hinzufügen, wäre mal interessant zu sehen, ob das dann klappt

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)

hefee

  • Guest
Re: Caution for LUKS encrypted partitions
« Reply #37 on: 2014/11/18, 12:18:46 »
Well maybe the autodetect is now better :) If someone do not use a full encrypted system, than askpass and libcrypt is not needed in the initramfs. We should really seperate the two systems:

crypted root
-> everthing for decryption is needed inside initramfs
-> systemd is coming afterwards, if there was only cryptocontainer, than everything works like charm

non crypted root / multiple cryptocontainers
-> rootfs can be used directly
-> no need to have anything for encryption inside initramfs
-> systemd handles the decryption
-> we hit the problem of parallation of opening the cryptocontainers in parallel

but trying to put the missing things inside initramfs is a good idea - maybe I'm wrong :)
--

Vielleicht ist die autodetection besser geworden :) Wenn jemand kein vollverschlüsseltes System verwendet, dann muss askpass und libcrypt nicht ins initramfs. Wir sollten auch die beiden systeme nicht miteinander verwechseln:

verschlüsseltes root:
-> alls fürs entschlüsseln muss in initramfs
-> systemd kommt danach; wenn es nur einen cryptocontainer gibt, dann läuft alles wie gewohnt

nicht verschlüsseltes root/ mehere cryptocontainer:
-> auf rootfs kann direkt zugegriffen werden
-> deswegen brauchen wir keine tools zum entschlüsseln
-> systemd kümmert sich ums entschlüsseln
-> und tada wir haben das Problem der Parallelisierung, und der versuch die Cryptocontainer parallel zu öffnen

aber es zu probieren die fehlenden sachen mal ins intramfs zu packen ist auf alle Fälle eine gute idee, nicht dasss ich einfach falsch liege :)

nadar

  • Guest
Re: Caution for LUKS encrypted partitions
« Reply #38 on: 2014/11/19, 10:06:04 »
@nadar, you have reported your findings in a bug report? I think this is important information for developers LUKS / dm-crypt.
(also @melmarker) Not jet. Where to report? (I have no clue)

@hefee: I have a crypted root and a crypted LVM for data consisting of several HDDs.

Offline bad_aptitude

  • User
  • Posts: 78
Re: Caution for LUKS encrypted partitions
« Reply #39 on: 2014/12/09, 04:23:58 »
 I have a LUKS encrypted system set up pretty much as recommended in the siduction manual using
 an encrypted LVM which contains root,home and swap.
 I would like to wait until the problem of systemd and LUKS which happened with kernels
 after 3.15-0.towo.2-siduction-amd64  is solved.
 I have done one dist upgrade with kernel 3.16-3 and was unable to open my LUKS encrypted
 system. So I reverted back to kernel 3.15-0 which still works fine.
 
 My worry is that my system will become too obsolete and thus unworkable.
 
 Should I keep doing dist upgrades and rolling back my kernel or should I just sit tight
 with my current version or should I venture forward with a workaround?

Offline devil

  • Administrator
  • User
  • *****
  • Posts: 4.838
Re: Caution for LUKS encrypted partitions
« Reply #40 on: 2014/12/09, 06:47:34 »
Getting your package set upgraded while sticking to that kernel sounds like a good idea (while having backups at the same time)


greetz
devil

Offline bad_aptitude

  • User
  • Posts: 78
Re: Caution for LUKS encrypted partitions
« Reply #41 on: 2014/12/09, 18:29:22 »
Devil,


Thanks

Offline bad_aptitude

  • User
  • Posts: 78
Re: Caution for LUKS encrypted partitions
« Reply #42 on: 2014/12/12, 00:31:55 »
Unfortunately my distribution upgrade borked my system so I will have to reinstall.
I'm wondering if it is worth doing an encrypted installation again. I assume that if I use systemd I will be faced with the same issues again.
So my question is:
                            Can I continue to use init instead of systemd until such time as systemd has its LUKS problems solved?

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: Caution for LUKS encrypted partitions
« Reply #43 on: 2014/12/12, 09:06:23 »
sure you can - you will need systemd-shim to do so
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)

Offline ralul

  • User
  • Posts: 1.814
Re: Caution for LUKS encrypted partitions
« Reply #44 on: 2014/12/15, 11:54:55 »
I'm wondering if it is worth doing an encrypted installation again.
* ralul ever wonders: Why a full encrypted system?
* ralul thinks: a seperate /home encrypted is a safe house for all your private data.
But:
If you fear having some spyware running on parallel windows which can write
on your ext4 root partition some additional trojan horse.
Or:
If you have to go through customs of England and you politicaly support Snowden ...
experiencing siduction runs better than my gentoo makes me know I know nothing