summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--build/entities/urls.ent3
-rw-r--r--build/templates/docstruct.ent1
-rw-r--r--en/boot-new/boot-new.xml147
-rw-r--r--en/using-d-i/components.xml1
-rw-r--r--en/using-d-i/modules/mdcfg.xml2
-rw-r--r--en/using-d-i/modules/partman-crypto.xml363
6 files changed, 517 insertions, 0 deletions
diff --git a/build/entities/urls.ent b/build/entities/urls.ent
index df87c9d90..453642618 100644
--- a/build/entities/urls.ent
+++ b/build/entities/urls.ent
@@ -174,6 +174,9 @@
<!ENTITY url-opn "http://www.openprojects.net/">
<!ENTITY opn-irc-server "irc.openprojects.net">
+<!-- LUKS -->
+<!ENTITY url-luks "http://luks.endorphin.org/">
+
<!-- ******************************************
HOWTOs and FAQs (general)
diff --git a/build/templates/docstruct.ent b/build/templates/docstruct.ent
index 26e5bee2d..583ed4689 100644
--- a/build/templates/docstruct.ent
+++ b/build/templates/docstruct.ent
@@ -117,6 +117,7 @@
<!ENTITY module-partconf.xml SYSTEM "##SRCPATH##/using-d-i/modules/partconf.xml">
<!ENTITY module-lvmcfg.xml SYSTEM "##SRCPATH##/using-d-i/modules/lvmcfg.xml">
<!ENTITY module-mdcfg.xml SYSTEM "##SRCPATH##/using-d-i/modules/mdcfg.xml">
+ <!ENTITY module-partman-crypto.xml SYSTEM "##SRCPATH##/using-d-i/modules/partman-crypto.xml">
<!ENTITY module-finish-install.xml SYSTEM "##SRCPATH##/using-d-i/modules/finish-install.xml">
<!ENTITY module-base-installer.xml SYSTEM "##SRCPATH##/using-d-i/modules/base-installer.xml">
<!ENTITY module-kernel-chooser.xml SYSTEM "##SRCPATH##/using-d-i/modules/kernel-chooser.xml">
diff --git a/en/boot-new/boot-new.xml b/en/boot-new/boot-new.xml
index d2452f3d2..faef837d0 100644
--- a/en/boot-new/boot-new.xml
+++ b/en/boot-new/boot-new.xml
@@ -187,6 +187,153 @@ for more information.
</sect2>
</sect1>
+ <sect1 id="mount-encrypted-volumes">
+ <title>Mounting encrypted volumes</title>
+
+<para>
+
+If you created encrypted volumes during the installation and assigned
+them mount points, you will be asked to enter the passphrase for each
+of these volumes during the boot. The actual procedure differs
+slightly between dm-crypt and loop-AES.
+
+</para>
+
+ <sect2 id="mount-loop-aes">
+ <title>loop-AES</title>
+
+<para>
+
+For partitions encrypted via loop-AES you will be shown the following
+prompt during the boot:
+
+<informalexample><screen>
+mount: going to use loop device /dev/loop<replaceable>X</replaceable>
+Password:
+</screen></informalexample>
+
+In the first line of the prompt, <replaceable>X</replaceable> is the
+number of the loop device. You are now probably wondering
+<emphasis>for which volume</emphasis> you are actually entering the
+passphrase. Does is relate to your <filename>/home</filename>? Or to
+<filename>/var</filename>? Of course, if you have just one encrypted
+volume, this is easy and you can just enter the passphrase you used
+when setting up this volume. If you set up more than one encrypted
+volume during the installation, the notes you wrote down as the last
+step in <xref linkend="partman-crypto"/> come in handy. If you did not
+make a note of the mapping between
+<filename>loop<replaceable>X</replaceable></filename> and the mount
+points before, you can still find it
+in <filename>/etc/fstab</filename> of your new system.
+
+</para><para>
+
+No characters (even asterisks) will be shown while entering the
+passphrase. Be careful, you have only <emphasis>one try</emphasis>. If
+you enter wrong passphrase, an error message will appear and the boot
+process will skip that volume and continue to mount the next
+filesystem. Please see <xref linkend="crypto-troubleshooting"/> for
+further information.
+
+</para><para>
+
+After entering all passphrases the boot should continue as usual.
+
+</para>
+ </sect2>
+
+ <sect2 id="mount-dm-crypt">
+ <title>dm-crypt</title>
+
+<para condition="FIXME">
+
+TODO: write something once it works.
+
+</para>
+ </sect2>
+
+ <sect2 id="crypto-troubleshooting">
+ <title>Troubleshooting</title>
+
+<para>
+
+If some of the encrypted volumes could not be mounted because a wrong
+passphrase was entered, you will have to mount them manually after the
+boot. There are several cases.
+
+</para>
+
+<itemizedlist>
+<listitem><para>
+
+The first case concerns the root partition. When it is not mounted
+correctly, the boot process will halt and you will have to reboot the
+computer to try again.
+
+</para></listitem>
+<listitem><para>
+
+The easiest case is for encrypted volumes holding data like
+<filename>/home</filename> or <filename>/srv</filename>. You can
+simply mount them manually after the boot. For loop-AES this is
+one-step operation:
+
+<informalexample><screen>
+<prompt>#</prompt> <userinput>mount <replaceable>/mount_point</replaceable></userinput>
+<prompt>Password:</prompt>
+</screen></informalexample>
+
+where <replaceable>/mount_point</replaceable> should be replaced by
+the particular directory (e.g. <filename>/home</filename>). The only
+difference from an ordinary mount is that you will be asked to enter
+the passphrase for this volume.
+
+</para><para>
+
+For dm-crypt this is a bit trickier. First you need to register the
+volumes with <application>device mapper</application> by running:
+
+<informalexample><screen>
+<prompt>#</prompt> <userinput>/etc/init.d/cryptdisks start</userinput>
+</screen></informalexample>
+
+This will scan all volumes mentioned
+in <filename>/etc/crypttab</filename> and will create appropriate
+devices under the <filename>/dev</filename> directory after entering
+the correct passphrases. (Already registered volumes will be skipped,
+so you can repeat this command several times without worrying.) After
+successful registration you can simply mount the volumes the usual
+way:
+
+<informalexample><screen>
+<prompt>#</prompt> <userinput>mount <replaceable>/mount_point</replaceable></userinput>
+</screen></informalexample>
+
+</para></listitem>
+<listitem><para>
+
+If the volumes holding noncritical system files could not be mounted
+(<filename>/usr</filename> or <filename>/var</filename>), the system
+should still boot and you should be able to mount the volumes manually
+like in the previous case. However, you will also need to (re)start
+any services usually running in your default runlevel because it is
+very likely that they were not started. The easiest way to achieve
+this is by switching to the first runlevel and back by entering
+
+<informalexample><screen>
+<prompt>#</prompt> <userinput>init 1</userinput>
+</screen></informalexample>
+
+at the shell prompt and pressing <keycombo> <keycap>Control</keycap>
+<keycap>D</keycap> </keycombo> when asked for the root password.
+
+</para></listitem>
+</itemizedlist>
+
+ </sect2>
+ </sect1>
+
+
<sect1 id="login">
<title>Log In</title>
diff --git a/en/using-d-i/components.xml b/en/using-d-i/components.xml
index 68ab42b91..453bb9388 100644
--- a/en/using-d-i/components.xml
+++ b/en/using-d-i/components.xml
@@ -74,6 +74,7 @@ like LVM or RAID devices.
&module-partconf.xml;
&module-lvmcfg.xml;
&module-mdcfg.xml;
+&module-partman-crypto.xml;
</sect2>
<sect2 id="di-system-setup">
diff --git a/en/using-d-i/modules/mdcfg.xml b/en/using-d-i/modules/mdcfg.xml
index e39e403bb..1a14f9580 100644
--- a/en/using-d-i/modules/mdcfg.xml
+++ b/en/using-d-i/modules/mdcfg.xml
@@ -168,6 +168,8 @@ configuration or installation steps manually from a shell.
Next, you should choose <guimenuitem>Configure software
RAID</guimenuitem> from the main <command>partman</command> menu.
+(The menu will only appear after you mark at least one partition for
+use as <guimenuitem>physical volume for RAID</guimenuitem>.)
On the first screen of <command>mdcfg</command> simply select
<guimenuitem>Create MD device</guimenuitem>. You will be presented with
a list of supported types of MD devices, from which you should choose
diff --git a/en/using-d-i/modules/partman-crypto.xml b/en/using-d-i/modules/partman-crypto.xml
new file mode 100644
index 000000000..8b4c69c50
--- /dev/null
+++ b/en/using-d-i/modules/partman-crypto.xml
@@ -0,0 +1,363 @@
+<!-- retain these comments for translator revision tracking -->
+<!-- $Id$ -->
+
+ <sect3 id="partman-crypto">
+ <title>Configuring Encrypted Volumes</title>
+<para>
+
+&d-i; allows you to set up encrypted partitions. Every file you write
+to such a partition is immediately saved to the device in encrypted
+form. Access to the encrypted data is granted only after entering
+the <firstterm>passphrase</firstterm> used when the encrypted
+partition was originally created. This feature is useful to protect
+sensitive data in case your laptop or hard drive gets stolen. The
+thief might get physical access to the hard drive, but without knowing
+the right passphrase, the data on the hard drive will look like random
+characters.
+
+</para><para>
+
+The two most important partitions to encrypt are: the home partition,
+where your private data resides, and the swap partition, where
+sensitive data might be stored temporarily during operation. Of
+course, nothing prevents you from encrypting any other partitions that might
+be of interest. For example <filename>/var</filename> where database
+servers, mail servers or print servers store their data, or
+<filename>/tmp</filename> which is used by various programs to store
+potentially interesting temporary files. Some people may even want to
+encrypt their whole system. The only exception is
+the <filename>/boot</filename> partition which must remain
+unencrypted, because currently there is no way to load the kernel from
+an encrypted partition.
+
+</para><note><para>
+
+Please note that the performance of encrypted partitions will be
+less than that of unencrypted ones because the data needs to be
+decrypted or encrypted for every read or write. The performance impact
+depends on your CPU speed, chosen cipher and a key length.
+
+</para></note><para>
+
+To use encryption, you have to create a new partition by selecting
+some free space in the main partitioning menu. Another option is to
+choose an existing partition (e.g. a regular partition, an LVM logical
+volume or a RAID volume). In the <guimenu>Partition setting</guimenu>
+menu, you need to select <guimenuitem>physical volume for
+encryption</guimenuitem> at the <menuchoice> <guimenu>Use
+as:</guimenu> </menuchoice> option. The menu will then change to
+include several cryptographic options for the partition.
+
+</para><para>
+
+&d-i; supports several encryption methods. The default method
+is <firstterm>dm-crypt</firstterm> (included in newer Linux kernels,
+able to host LVM physical volumes), the other
+is <firstterm>loop-AES</firstterm> (older, maintained separately from
+the Linux kernel tree). Unless you have compelling reasons to do
+otherwise, it is recommended to use the default.
+
+<!-- TODO: link to the "Debian block device encryption guide"
+ once Max writes it :-) -->
+
+</para><para>
+
+First, let's have a look at available options available when you
+select <userinput>Device-mapper (dm-crypt)</userinput> as the
+encryption method. As always: when in doubt, use the defaults, because
+they have been carefully chosen with security in mind.
+
+<variablelist>
+
+<varlistentry>
+<term>Encryption: <userinput>aes</userinput></term>
+
+<listitem><para>
+
+This option lets you select the encryption algorithm
+(<firstterm>cipher</firstterm>) which will be used to encrypt the data
+on the partition. &d-i; currently supports the following block
+ciphers: <firstterm>aes</firstterm>, <firstterm>blowfish</firstterm>,
+<firstterm>serpent</firstterm>, and <firstterm>twofish</firstterm>.
+It is beyond the scope of this document to discuss the qualities of
+these different algorithms, however, it might help your decision to
+know that in 2000, <emphasis>AES</emphasis> was chosen by the American
+National Institute of Standards and Technology as the standard
+encryption algorithm for protecting sensitive information in the 21st
+century.
+
+</para></listitem>
+</varlistentry>
+
+<varlistentry>
+<term>Key size: <userinput>256</userinput></term>
+
+<listitem><para>
+
+Here you can specify the length of the encryption key. With a larger
+key size, the strength of the encryption is generally improved. On the
+other hand, increasing the length of the key usually has a negative
+impact on performance. Available key sizes vary depending on the
+cipher.
+
+</para></listitem>
+</varlistentry>
+
+<varlistentry>
+<term>IV algorithm: <userinput>cbc-essiv:sha256</userinput></term>
+
+<listitem><para>
+
+The <firstterm>Initialization Vector</firstterm> or
+<firstterm>IV</firstterm> algorithm is used in cryptography to ensure
+that applying the cipher on the same <firstterm>clear text</firstterm>
+data with the same key always produces a unique
+<firstterm>cipher text</firstterm>. The idea is to prevent the
+attacker from deducing information from repeated patterns in the encrypted
+data.
+
+</para><para>
+
+From the provided alternatives, the default
+<userinput>cbc-essiv:sha256</userinput> is currently the least
+vulnerable to known attacks. Use the other alternatives only when you
+need to ensure compatibility with some previously installed system
+that is not able to use newer algorithms.
+
+</para></listitem>
+</varlistentry>
+
+<varlistentry>
+<term>Encryption key: <userinput>Passphrase</userinput></term>
+
+<listitem><para>
+
+Here you can choose the type of the encryption key for this partition.
+
+ <variablelist>
+ <varlistentry>
+ <term>Passphrase</term>
+ <listitem><para>
+
+The encryption key will be computed<footnote>
+<para>
+
+Using a passphrase as the key currently means that the partition will
+be set up using <ulink url="&url-luks;">LUKS</ulink>.
+
+</para></footnote> on the basis of a passphrase which you will be able
+to enter later in the process.
+
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Random key</term>
+ <listitem><para>
+
+A new encryption key will be generated from random data each time you
+try to bring up the encrypted partition. In other words: on every
+shutdown the content of the partition will be lost as the key is
+deleted from memory. (Of course, you could try to guess the key with a
+brute force attack, but unless there is an unknown weakness in the
+cipher algorithm, it is not achievable in our lifetime.)
+
+ </para><para>
+
+Random keys are useful for swap partitions because you do not need to
+bother yourself with remembering the passphrase or wiping sensitive
+information from the swap partition before shutting down your
+computer. However, it also means that you
+will <emphasis>not</emphasis> be able to use
+the <quote>suspend-to-disk</quote> functionality offered by newer
+Linux kernels as it will be impossible (during a subsequent boot) to
+recover the suspended data written to the swap partition.
+
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+
+</para></listitem>
+</varlistentry>
+
+<varlistentry>
+<term>Erase data: <userinput>yes</userinput></term>
+
+<listitem><para>
+
+Determines whether the content of this partition should be overwritten
+with random data before setting up the encryption. This is recommended
+because it might otherwise be possible for an attacker to discern
+which parts of the partition are in use and which are not. In
+addition, this will make it harder to recover any leftover data from
+previous installations<footnote><para>
+
+It is believed that the guys from three-letter agencies can restore
+the data even after several rewrites of the magnetooptical media,
+though.
+
+</para></footnote>.
+
+</para></listitem>
+</varlistentry>
+
+</variablelist>
+
+</para><para>
+
+If you select <menuchoice> <guimenu>Encryption method:</guimenu>
+<guimenuitem>Loopback (loop-AES)</guimenuitem> </menuchoice>, the menu
+changes to provide the following options:
+
+
+<variablelist>
+<varlistentry>
+<term>Encryption: <userinput>AES256</userinput></term>
+
+<listitem><para>
+
+For loop-AES, unlike dm-crypt, the options for cipher and key size are
+combined, so you can select both at the same time. Please see the
+above sections on ciphers and key sizes for further information.
+
+</para></listitem>
+</varlistentry>
+
+<varlistentry>
+<term>Encryption key: <userinput>Keyfile (GnuPG)</userinput></term>
+
+<listitem><para>
+
+Here you can select the type of the encryption key for this partition.
+
+ <variablelist>
+ <varlistentry>
+ <term>Keyfile (GnuPG)</term>
+ <listitem><para>
+
+The encryption key will be generated from random data during the
+installation. Moreover this key will be encrypted
+with <application>GnuPG</application>, so to use it, you will need to
+enter the proper passphrase (you will be asked to provide one later in
+the process).
+
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Random key</term>
+ <listitem><para>
+
+Please see the the section on random keys above.
+
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+
+</para></listitem>
+</varlistentry>
+
+<varlistentry>
+<term>Erase data: <userinput>yes</userinput></term>
+
+<listitem><para>
+
+Please see the the section on erasing data above.
+
+</para></listitem>
+</varlistentry>
+
+</variablelist>
+
+</para><note><para>
+
+Please note that the <emphasis>graphical</emphasis> version of the
+installer still has some limitations when compared to the textual
+one. For cryptography it means you can set up only volumes using
+<emphasis>passphrases</emphasis> as the encryption keys.
+
+</para></note><para>
+
+
+After you have selected the desired parameters for your encrypted
+partitions, return back to the main partitioning menu. There should
+now be a new menu item called <guimenu>Configure encrypted
+volumes</guimenu>. After you select it, you will be asked to confirm
+the deletion of data on partitions marked to be erased and possibly
+other actions such as writing a new partition table. For large
+partitions this might take some time.
+
+</para><para>
+
+Next you will be asked to enter a passphrase for partitions configured
+to use one. Good passphrases should be longer than 8 characters,
+should be a mixture of letters, numbers and other characters and
+should not contain common dictionary words or information easily
+associable with you (such as birthdates, hobbies, pet names, names of
+family members or relatives, etc.).
+
+</para><warning><para>
+
+Before you input any passphrases, you should have made sure that your
+keyboard is configured correctly and generates the expected
+characters. If you are unsure, you can switch to the second virtual
+console and type some text at the prompt. This ensures that you won't be
+surprised later, e.g. by trying to input a passphrase using a qwerty
+keyboard layout when you used an azerty layout during the installation.
+This situation can have several causes. Maybe you switched to another
+keyboard layout during the installation, or the selected keyboard layout
+might not have been set up yet when entering the passphrase for the
+root file system.
+
+</para></warning><para>
+
+If you selected to use methods other than a passphrase to create
+encryption keys, they will be generated now. Because the kernel may
+not have gathered a sufficient amount of entropy at this early stage
+of the installation, the process may take a long time. You can help
+speed up the process by generating entropy: e.g. by pressing random
+keys, or by switching to the shell on the second virtual console and
+generating some network and disk traffic (downloading some files,
+feeding big files into <filename>/dev/null</filename>, etc.).
+
+<!-- TODO: Mention hardware random generators when we will support
+ them -->
+
+This will be repeated for each partition to be encrypted.
+
+</para><para>
+
+After returning to the main partitioning menu, you will see all
+encrypted volumes as additional partitions which can be configured in
+the same way as ordinary partitions. The following example shows two
+different volumes. The first one is encrypted via dm-crypt, the second
+one via loop-AES.
+
+<informalexample><screen>
+Encrypted volume (<replaceable>crypt0</replaceable>) - 115.1 GB Linux device-mapper
+ #1 115.1 GB F ext3
+
+Loopback (<replaceable>loop0</replaceable>) - 515.2 MB AES256 keyfile
+ #1 515.2 MB F ext3
+</screen></informalexample>
+
+Now is the time to assign mount points to the volumes and optionally
+change the file system types if the defaults do not suit you.
+
+</para><para>
+
+One thing to note here are the identifiers in parentheses
+(<replaceable>crypt0</replaceable>
+and <replaceable>loop0</replaceable> in this case) and the mount
+points you assigned to each encrypted volume. You will need this
+information later when booting the new system. The differences between
+ordinary boot process and boot process with encryption involved will
+be covered later in <xref linkend="mount-encrypted-volumes"/>.
+
+</para><para>
+
+Once you are satisfied with the partitioning scheme, continue with the
+installation.
+
+</para>
+ </sect3>