Debian Cryptsetup Sprint
Location, Date
- when: June 16-17
- where: Frankfurt
Participants
No |
Name |
confirmed |
Arrival date/time |
Departure date/time |
Travel sponsorship required |
Comment |
|
1 |
Guilhem Moulin |
yes |
2018-06-14 evening |
2018-06-18 morning |
yes |
- |
|
2 |
Jonas Meurer |
yes |
2018-06-14 evening |
2018-06-18 morning |
no |
- |
Agenda
(Ambitious) Tentative agenda:
Finish refactoring of the initramfs & init scripts
- Bug triaging (quite a few are blocking on said refactoring)
luksSuspend integration (pending for the rootfs):
use cryptsetup's luksSuspend feature to lock dm-crypt devices before suspend on RAM. The user is required to unlock the disk upon resume.
- data in memory is not protected, but the rest of the root FS is.
luks nuke feature: https://www.kali.org/tutorials/nuke-kali-linux-luks/
- systemd integration and future of cryptscripts
- patch cryptsetup.c in systemd to support cryptscripts? need input from the systemd maintainers
https://github.com/systemd/systemd/pull/3007#pullrequestreview-39358162
https://lists.freedesktop.org/archives/systemd-devel/2012-June/005693.html
- ephemeral swap encryption:
- makes sense to use use a random ephemeral key for volatile partitions such as /tmp or swap (when suspend-on-disk is not desired)
/dev/urandom might yield deterministic encryption keys if used early in the boot process
/dev/random blocks and drains the entropy pool
write a new keyscript using getrandom(2)? Or maybe integrate that in cryptsetup itself with a --random-key flag, and add a matching crypttab(5) option
- improve QA for (semi-)automatic regression tests
Reports
announcement: https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2018-May/007577.html
report: https://blog.freesources.org/posts/2018/06/debian_cryptsetup_sprint_report/
Acknowledgements
the sprint has been possible thanks to:
donations to the Debian project