Mailinglist Archive: opensuse-factory (528 mails)
| < Previous | Next > |
Re: [opensuse-factory] /etc/init.d/boot.crypto , LUKS extension, unattached devices
- From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
- Date: Wed, 2 May 2007 12:26:50 +0200
- Message-id: <200705021226.51307.ludwig.nussel@xxxxxxx>
Volker Kuhlmann wrote:
> On Sun 29 Apr 2007 09:11:12 NZST +1200, Jochen Hayek wrote:
>
> > May I suggest a change to /etc/init.d/boot.crypto ?
>
> Thanks for that, I second your suggestions. A few days ago I had a play
> with an encrypted removable disk. My comments:
>
> 1) The only way to create such a disk, on a removable memory gimmick
> which are of plentiful supply and very popular, is to go into yast disk
> partitioner and to click a few dire warnings "this is only for
> advanced..." out of the way, and going all the way with "custom".
> Actually same issue with non-encrypted removable storage. Something more
> user-friendly would be a good idea for 10.4.
>
> 2) The only functional fstab entry I found is:
>
> /dev/disk/by-id/usb-HTS54104_MPB2LAX2xxxxxx_B26A82xxxxxx-part1 /media/portable2 ext3 loop,encryption=twofish256,acl,user_xattr,user,nosuid,nodev,noexec,noauto 0 0
>
> For the reasons Jochen explained, reference by sdXN is useless. The yast
> fstab editor (disk partitioner) is unable to create such an entry,
> because as soon as "encrypt filesystem" is clicked, the button to enter
> the 4 advanced options disappears from the screen. Of those 4 options
> (of referencing the partition), only by-ID can work. So the other 3 (but
> UUID, etc) should be greyed out or disappear, but by-ID must stay, in
> fact it should be default.
That's unrelated to boot.crypto. Please consider filing a bug for YaST.
> 3) The system (tested 10.2) fails to load the cryptoloop module. This
> must be loaded manually by root first, or the filesystem can never be
> mounted. One could add it to MODULES_LOADED_ON_BOOT. boot.crypto loads
> it but *only* if a fixed disk with encrypted fs is also in the system.
10.3 boot.crypto will not use cryptoloop so that problem should be obsolete.
> 4) Optical problem only: If /etc/cryptotab exists, boot.crypto switches
> to text console, finds it doesn't have to do anything because I
> commented out the lines but don't want to delete them as it has the info
> I need for fstab, or because the disk is currently not plugged in, then
> switches back to graphics boot screen.
Please file a bug and assign it to me.
> 5) The removable disk must be mountable by $user, as the other movable
> storage things.
>
> 6) There's no desktop auto-popup asking for the fs crypto password.
hal supports both for LUKS volumes at the backend side of things.
KDE/GNOME need to implement the UI. On the command line you can
mount such volumes with the halmount script (in a still slightly
inconvenient way though).
cu
Ludwig
--
(o_ Ludwig Nussel
//\ SUSE Labs
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
> On Sun 29 Apr 2007 09:11:12 NZST +1200, Jochen Hayek wrote:
>
> > May I suggest a change to /etc/init.d/boot.crypto ?
>
> Thanks for that, I second your suggestions. A few days ago I had a play
> with an encrypted removable disk. My comments:
>
> 1) The only way to create such a disk, on a removable memory gimmick
> which are of plentiful supply and very popular, is to go into yast disk
> partitioner and to click a few dire warnings "this is only for
> advanced..." out of the way, and going all the way with "custom".
> Actually same issue with non-encrypted removable storage. Something more
> user-friendly would be a good idea for 10.4.
>
> 2) The only functional fstab entry I found is:
>
> /dev/disk/by-id/usb-HTS54104_MPB2LAX2xxxxxx_B26A82xxxxxx-part1 /media/portable2 ext3 loop,encryption=twofish256,acl,user_xattr,user,nosuid,nodev,noexec,noauto 0 0
>
> For the reasons Jochen explained, reference by sdXN is useless. The yast
> fstab editor (disk partitioner) is unable to create such an entry,
> because as soon as "encrypt filesystem" is clicked, the button to enter
> the 4 advanced options disappears from the screen. Of those 4 options
> (of referencing the partition), only by-ID can work. So the other 3 (but
> UUID, etc) should be greyed out or disappear, but by-ID must stay, in
> fact it should be default.
That's unrelated to boot.crypto. Please consider filing a bug for YaST.
> 3) The system (tested 10.2) fails to load the cryptoloop module. This
> must be loaded manually by root first, or the filesystem can never be
> mounted. One could add it to MODULES_LOADED_ON_BOOT. boot.crypto loads
> it but *only* if a fixed disk with encrypted fs is also in the system.
10.3 boot.crypto will not use cryptoloop so that problem should be obsolete.
> 4) Optical problem only: If /etc/cryptotab exists, boot.crypto switches
> to text console, finds it doesn't have to do anything because I
> commented out the lines but don't want to delete them as it has the info
> I need for fstab, or because the disk is currently not plugged in, then
> switches back to graphics boot screen.
Please file a bug and assign it to me.
> 5) The removable disk must be mountable by $user, as the other movable
> storage things.
>
> 6) There's no desktop auto-popup asking for the fs crypto password.
hal supports both for LUKS volumes at the backend side of things.
KDE/GNOME need to implement the UI. On the command line you can
mount such volumes with the halmount script (in a still slightly
inconvenient way though).
cu
Ludwig
--
(o_ Ludwig Nussel
//\ SUSE Labs
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
| < Previous | Next > |