Installing Debian on encrypted block devices
This page describes the development of d-i support for installing on encrypted block devices. The aim is to allow users to setup loop-AES, dm-crypt or LUKS encrypted partitions for the system and data parts of a Debian system during the installation.
Status
IMPORTANT: This code is still pre-beta and has not been audited for flaws that could introduce weaknesses in the encryption. Please don't use it for any confidential data before the beta release.
First stage |
||
partman-crypto |
general |
needs upload, blocked by missing gnupg and uuencode |
gnupg-udeb |
loop-AES keyfiles |
missing ([http://bugs.debian.org/321948 #321948]) |
busybox-udeb with CONFIG_UUENCODE=y |
loop-AES keyfiles |
missing (Bug #323436) |
cdebconf-plugin-entropy |
loop-AES keyfiles |
needs framework for building external cdebconf plugins |
loop-aes-$KVERS-di |
loop-AES kernel support |
in experimental (working out build problems on some archs) |
Second stage |
||
loop-aes-$KVERS |
loop-AES kernel support |
in experimental |
See also: partman-crypto [http://svn.debian.org/wsvn/d-i/trunk/packages/partman/partman-crypto/TODO?op=file TODO]
partman-crypto
[http://svn.debian.org/wsvn/d-i/trunk/packages/partman/partman-crypto SVN repository]
[http://svn.debian.org/wsvn/d-i/trunk/packages/partman/partman-crypto/README?op=file Documentation for hackers]
[http://svn.debian.org/wsvn/d-i/trunk/packages/partman/partman-crypto/TODO?op=file TODO]
Plans / Roadmap
- Beta
- All required packages uploaded
- Audited for leaks of keydata or weak implementation
- Tested
v1.0 ("ready for use")
- Tested
- v1.0+
- Support for dm-crypt
- Support for dm-crypt LUKS
- loop-AES keyfiles on removable media
- Existing (pre-generated) loop-AES keyfiles
- Encrypted root partition
History
Initial announcement (thread starting at http://lists.debian.org/debian-boot/2005/08/msg00195.html)
Code snapshot with mini.iso (2005-08-05) http://decl.org/~max/debian-installer/