Ubuntu

Jaunty Alternate Install LVM Encryption Defualts?

Asked by ubuntu-crypto

I would like to know what the defaults are for an encrypted lvm in the juanty alternate install CD.
This includes :
1.Mode of Operation ex: LRW, XTS
2. Hashing Algorithm (hash used to store the key) ex: SHA256 , Whirlpool
3. Encryption algorithm ex: AES256, Serpent256, Twofish256
4. keysize -- the size of the key in bits
I would like to know all of the options available if possible.
Also, does the installer write random data to the disk before encryption?
Most disk encryption guides start with : sudo dd if=/dev/urandom of=/dev/disk2crypt
If it doesn't that is fine...i can boot livecd and drop the command myself.

Furthermore, I have created an encrypted LVM from livecd... i would like the bootloader (grub) to prompt me for the password , then unlock the root encrypted LVM like it does after an encrypted LVM install with an alternate install CD.
I have looked at : https://help.ubuntu.com/community/EncryptedFilesystemLVMHowto , and all its neighbouring pages... i have been googleing for days and still no results... If you help me i will gladly make a wiki of some sort for encrypting ubuntu with LVM & dm-crypt.
Finally, Im wondering if I upgrade to the relase following Juanty if my system will still boot (with encrypted LVM)

Thank you in advance,
Dave

Edit: i removed Dave's email from being hard-wired into this public forum page as his email address is the same on his profile/overview page so all comments/answers added below will automatically get sent there anyway. Regards from Tom :)

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Colin Watson (cjwatson) said : 		#1

I thought the installer showed you the defaults already, but anyway ...

Mode: CBC
Hash algorithm: SHA256
Encryption algorithm: AES256
Key size: 256 bits

There are too many options to list here particularly conveniently - you should just be able to go through the installer and ask it to show you the choices for each option.

The installer does not erase data by default, but it has an option to do so, labelled "Erase data". This is not the default because on disks of any substantial size it takes an extremely long time, which often seems to be unexpected.

It isn't the boot loader's responsibility to unlock an encrypted LVM devices, and it's at the wrong layer to be able to do so. Encrypted LVM devices are unlocked in the initramfs, not from GRUB. See /usr/share/initramfs-tools/scripts/local-top/cryptroot.

If you upgrade and your system doesn't boot, that's a serious bug that we would like to know about so that we can fix it!

Revision history for this message
ubuntu-crypto (davexthc) said : 		#2

Thank You for the prompt reply. I would Like to suggest the XTS or ESSIV mode of operation be default in the release following juanty.
Also the option to use Whirlpool or SHA512 would be nice. CBC is ok for encrypted data transfer if padded properley, however it is vulnerable to watermarking attacks when used in disk crypto. CBC was not meant to be used for disk crypto.
Ubuntu Juanty supported my install of Cypher AES256 Hash Whirlpool Mode of Operation XTS keysize 512 (needed for XTS mode).
Furthermore, as you probably already know there is a 64-bit AES kernel module. It would be nice to have it be the default on a 64-bit install disk. The 64 bit module provides a significant boost in efficiency compared to the 32 bit one.

I had to do a lot of tweaking to get my system working -getting ubuntu to auto unmount the drive and I am still having trouble. I can boot with by manually mapping the device. Instructions on how to modify /usr/share/initramfs-tools/scripts/local-top/cryptroot would be nice. The disk encryption support pages on the ubuntu site are quite dated. I will help as much as possible. I can create a wiki, modify the wiki etc. I would like to create a wiki of a custom encrypted LVM install for Ubuntu.
I can also make a youtube video. I am always pushing developers to patch holes :D. By the way, there are some nasty remote code-execution exploits effecting sun-jre versions 1.6_14 and 1.5_19 (and lower ) i noticed 1.6_14 it is the latest in the Juanty repos. 1.6_16 is out!

Revision history for this message
Launchpad Janitor (janitor) said : 		#3

This question was expired because it remained in the 'Open' state without activity for the last 15 days.