Installing Debian on encrypted block devices

This page describes the development of d-i support for installing on encrypted block devices. The aim is to allow users to setup loop-AES, dm-crypt or LUKS encrypted partitions for the system and data parts of a Debian system during the installation.

partman-crypto

/!\ IMPORTANT: The current implementation is still pre-beta and has not been audited for flaws that could produce weak keys, leak key data or otherwise introduce weaknesses in the encryption. Please don't use it for any confidential data before the beta release.

Key generation in d-i

Encryption keys for loop-AES are created from /dev/random. It is important that we have a good source of entropy to allow us to extract the required amount of key data from /dev/random (each loop-AES v3 key requires 2925 bytes of random data). Currently the low amount of entropy in the kernel pool causes the key generation to block for a long time.

There are some ideas for how to solve this:

The current idea is to check if rngd (package rng-tools) could be extended to read from one or more FIFOs and character devices, do FIPS tests and feed the kernel entropy pool. If this is feasible audio-entropyd, video-entropyd, software for collecting network traffic timings etc. could be packaged and be made to feed rngd. TODO: Ask hmh@d.o if this approach makes sense and is feasible.

Status

loop-AES support in partman-crypto requires gnupg-udeb which is not available in the Debian archive. Work on dm-crypt and LUKS support has only just started (See [http://lists.debian.org/debian-boot/2006/03/msg00235.html this thread]). The upload of partman-crypto is blocked on getting one of loop-AES or LUKS working with only packages in the Debian archive.

First stage

partman-crypto

general

{X} needs upload, blocked by missing gnupg and uuencode

cdebconf-entropy

general

{X} needs upload

gnupg-udeb

loop-AES keyfiles

{X} missing ([http://bugs.debian.org/321948 Bug #321948])

loop-aes-$KVERS-di

loop-AES kernel support

(./) in unstable (working out build problems on some archs)

Second stage

loop-aes-$KVERS

loop-AES kernel support

(./) in unstable

See also: partman-crypto [http://svn.debian.org/wsvn/d-i/trunk/packages/partman/partman-crypto/TODO?op=file TODO]

TODO before beta

Plans for v1.0+

History