Hi!
I'm a loop-AES user for many years. It's a great piece of software.
In the old days i was using linuxfromscratch and build loop-AES by myself.
At some point I became lazy and switched to debian and get loop-AES through debian repositories.
Now I'm setting up a new workstation with debian testing (wheezy) and found that loop-AES is not in wheezy repositories, so i decided to build it myself.
First i downloaded a debian kernel, changed the configuration to disable loop module and builded, installed and rebooted the reconfigured kernel.
Then i builded, and installed the loop-AES modules.
- I saw that asm code are used if posible by default, but no intel AES instructions. Is there any reason for this?
The next step was to setup a patched mount, losetup,etc...
Debian wheezy ships util-linux 2.20.1
On the other hand loop-AES includes patchs for 2.12r, 2.21.2 and 2.22.1.
I downloaded util-linux 2.21.2 and applied your patch. I builded and installed the commands (mount, losetup, etc) as noted in loop-AES.README.
So I have some util-linux commands from 2.20 (debian build) and mount, losetup, etc from 2.21.2 (loop-AES build).
- Is this correct or all the util-linux command must have same versioning?
My intend is to have a unencrypted root partition and a encrypted partition for data. The gpg file with the encrypted keys are stored on root partition.
I setup /etc/fstab and can manually mount encrypted partition and it works well, but i'd like to be mounted when the system boots, being asked for a password of course. But if i remode the noauto fstab option it this doesn't work. From previous loop-aes-utils debian package I saw some files to enable filesystem check on loop-AES partitions, and some initramfs files, but i guess that related with root on loop-aes paritions.
- Any idea?
Thank you very much.
> I saw that asm code are used if posible by default,
> but no intel AES instructions. Is there any reason
> for this?
Intel AES code does not necessarily compile
successfully if assembler is too old. Auto-probing that
problem case is more work than simply grep'ing kernel
configuration file.
> So I have some util-linux commands from 2.20 (debian
> build) and mount, losetup, etc from 2.21.2 (loop-AES
> build). - Is this correct or all the util-linux
> command must have same versioning?
mount and umount should be same version.
swapon and swapoff should be same version.
> I setup /etc/fstab and can manually mount encrypted
> partition and it works well, but i'd like to be
> mounted when the system boots, being asked for a
> password of course.
Try this: Modify boot scripts so that they run losetup
command before file systems are fsck'ed, and change
/etc/fstab so that device to mount is plain /dev/loopX,
and no loop= or encryption= or gpgkey= or other loop
set up related mount options on that fstab entry. When
system boots, losetup will ask for a passphrase and set
up a loop device, fsck will then fsck the file system
on that loop device, and finally mount will mount it
without any loop device set up or passphrase asking.
Sorry Jari, i've been very busy last week and couldnt answer before.
Just for reference, Intel AES compiled succesfully in a standard wheezy setup. :)
I will use mount, umount and losetup from your patched version of util-linux 2.21.2 and the rest from stock debian package. I dont have swap partition, so no need to patch swapon/swapoff.
I'm not sure i understand very well your suggestion about the boot scripts modification.
If i remove specific losetup option from /etc/fstab, and file systems are not mounted yet, i will need to copy gpgkeyfile to somewhere in the initramfs.
is this correct?
I quickly looked at current stable release of Debian 6.0
"squeeze" init scripts, without doing any actual tests. That
distro version seems to do non-root file system fsck's from
/etc/init.d/checkfs.sh shell script. So, if you add these
lines to beginning of checkfs.sh script's do_start ()
function:
echo "Setting up encrypted loop device"
losetup -e AES128 -K /etc/fskey-sda99.gpg /dev/loop0 /dev/sda99
And this line to /etc/fstab :
/dev/loop0 /foo ext3 defaults 0 2
Then at boot, losetup asks for a passphrase and sets up
encrypted loop device before non-root file systems are
checked.
If file systems are to be checked at boot, then encrypted
loop file system gets fsck'd just like any other non-root
file system, and finally that encrypted loop file system
gets mounted just like any other non-root file system.
When /dev/loop0 has been properly set up by losetup, fsck
and mount tools see /dev/loop0 as just another device, like
/dev/sda1 or /dev/sda2. fsck and mount will access
/dev/loop0 without any knowledge that it encrypts or
decrypts writes or reads to some other backing device.