Samstag, 24. Oktober 2009

Problems in karmic due to the use of an encrypted home dir

I've choosen to use an encrypted home directory during the karmic installation.
First i was confused cause there was another crypt option, it was create a crypted pyhsical partition, in partition manager. But as you can't use this as logical volume and install ext4 and swap within i didn't use this one.

The main question was just after installation at the point were use details has been shifted too. After entering those I could chooose either to use or (by default) not to use an encrypted home dir.
The main point with it is that data can't be stolen anymore with an live cd.

After isntalling those things I ended up with an error on bootup which said "cryptswap not yet ready".
I wondered what the cryptswap may be an mzz told me on IRC.
It's a wrapper withing the real swap which is crypted by a one time pad created at bootup to ensure that data which has been swapped couldn't be read after shutdown.

Sadly we didn't find anything which encountered the problem, so I simply disabled the encrypted swap - I know I'm not save anymore but I'm sure my siblings woun't know how to extract something from SWAP :-)

So here's the way to do so:

  • comment out the line in /etc/crypttab,
#
#cryptswap1 /dev/sda6 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
  • in /etc/fstab/ replace "/dev/main/cryptswap1" with the actual partition which is the orange one from 1. - I've done a copy an commented the first one
# /etc/fstab: static file system information.
#
# Use 'blkid -o value -s UUID' to print the universally unique identifier
# for a device; this may be used with UUID= as a more robust way to name
# devices that works even if disks are added and removed. See fstab(5).
#
#
[... this part will look different for everyone depending on his partitions - DON'T touch it unless you know what you do!]
#swap crypt wrapper [this line was added to get some headings into the file]
#/dev/mapper/cryptswap1 none swap sw 0 0 [old one]
/dev/sda6 none swap sw 0 0 [new one]

DON'T wirte those things in [] ! those are my comments here !
  • and run "mkswap" on the actual partition after cryptsetup is done with it
sudo mkswap /dev/sda6
And that's what the secured partition looks like in a 9.04 live CD

PS: If someone know against which package a bug should be filed in this case, pls drop off an comment. (upsart, nautilus, fstab ... ?)

--------------------

Talking today one again on IRC ew went to the conclusion that this error may be cause due to a too small timeout until cryptswap is ready, I've filed a bug against it, and hopefully waiting for some makeup here:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/459985

PS: reverted the above settings as performance difference may only exist in my mind here.
Geschrieben von um
Labels: