cryptsetup luks/truecrypt/veracrypt/loopaes, lvm2 and probably dm-raid too (patches included)

  • Edit: 2018-05-09 corrected the dependencies of cryptsetup, lvm2 (more exact libdevmapper) is needed and therefor only mdadm as pkg is optional

    I like all my systems cold secure, that means all data are fully encrypted. The one exception are my kodi boxes. I did try to get all the infos away from the kodi box, but at least the Textures13.db is on the box, when i mounted .kodi/temp as tmpfs and redirected Thumbnail to the server.

    So i build a community version (my latest) LE 8.2.5 with UHD 630 / Coffee Lake support and luks, lvm2, dm-raid and since the end of last year i also shared it in the forum.

    features tested:

    - truecrypt with "cryptsetup open --type tcrypt /dev/sda6 tcrypt-sda6 ; mount /dev/mapper/tcrypt-sda6 <your mountpoint>" created on OE 5.0 with truecrypt

    - veracrypt with "cryptsetup open --veracrypt --type tcrypt /dev/sdb6 vcrypt-sdb6 ; mount.exfat /dev/mapper/vcrypt-sdb6 <your mountpoint>" created on Windows 10 with veracypt and formated as exfat

    - cryptsetup luks i used to create and mount encrypted userdata

    I striped down all my changes to the minimum to have cryptsetup luks usable and for Generic enabled AES-NI to have it hardware accelerated. The lvm2 package is needed by cryptsetup. The kernel config also contains all to use mdadm.

    All what is needed is in cryptsetup-lvm2-dm-raid.zip and the RPi2 kernel patch should apply to other architerures without so much trouble. There are only kernel config patches for Generic and RPi2 build for 8.2.5 with a kernel 4.14 (like the LE git master at the moment).

    Sadly my script tools to mount userdata encrypted are not yet ready for the public, but i would love to see all what is needed in LE so that only a addon is needed or i patch the init to support it at boot time. For curious persons here are my scripts without any support for it from /storage/.cryptluks scripts-cryptluks.zip and it uses a backend webserver and gets all the parameter from the kernel command line.

    For boot time support i have a plan to use nework bound disc encryption (NBDE) with tang and clevis to make it totaly unattended bootup with encryption.

    Thanks for reading my proposal.

    Edited 4 times, last by sky42 (May 9, 2018 at 5:40 PM).

    • Official Post

    Firstly you NEED to change the title of your thread - it is too technical and non informative.

    YOU are asking for a feature request, so write it as if you are applying for a job.

    Give a good opening sentence and then in clear text explain, why, how, and possible conflicts (LE should not solve them).

    This will explain why this thread has been ignored for a while.

  • Iridium

    Thanks for the advice. I did think about it some time. Now i have done some more tests and minimized my patches. I also write a application, but still not sure about the new Subject "kernel support for encryption + adding dm-crypt" for a new thread i will open.

    Here is my draft:

    ------------------------------

    Why should there be hardware acceleration and more crypto moduls in the kernel:

    Hardware acceleration with AES-NI is 6-8 times faster. That is the case for many things like https, other SSL connections, SSH and also disk encryption. The kernel encryption/decryption implemetation is faster than just userspace software, becasue it is more optimized and using even hardware acceleration if possible, when you enable optimization/acceleration.

    When the kenrel supports a more complete set of encryption, than the community is able to build addons that are using/needing the kernel crypto support.

    Why would some one use disk encryption:

    There are at least 2 reasons.

    One is encryption at rest, so that data on the disk are encrypted and you can throw it away without thinking about the data. For HDDs you can overwrite them, when they are still working, but failed HDDs have still data and you can not properly delete them. The seconds case can be solved with a degausser, but thats about $ 20.000 (i bought 2 at work). For SSDs proper deleting through overwriting is not really possible, because of wearleveling technics of the SSD controller you will never reach all flash cells.

    The 2nd one is protecting your data, because you dont want somebody to access them. But these data are only cold secure, that means if it is swicthed off nobody can access it without your password or key. I see that used more and more for portable data devices (HDD, SSD, USB Stick). Also Android does encrypt the user data by default since Android 6, when you setup a PIN or password. iPhones doing that a lot longer.


    I propose to add a more support for encryption and dm-crypt in the kernel. Encryption will be faster for e.g https and the community can build addons based on that.

    I would also like to include cryptsetup in LE, so that it is possible to use encrypted block devices. If cryptsetup is not included i can still build a addon, when the dm-crypt kernel support is included.

    With cryptsetup it is possible to use luks, loopaes, veracrypt, truecrypt encrypted devices. A veracrypt USB disc needs to be first open by cryptsetup and then you could normal mount e.g. a ntfs filesystem. There is no GUI for that in my proposal. I am not the right person to build a GUI portion for that, but with the kernel support and cryptsetup it is poosible to build a addon for that.


    The kernel image is growing about 16KB on Generic x86_64 and the system image about 1.5MB (cryptsetup included).

    here is my patch for Generic x86_64

    kernel support for encryption and adding dm-crypt

    sky42-kernel-config-Generic-x86_64-encryption-4.18-v2.patch.txt

    cryptsetup package.mk and depedencies lvm2-minimal

    cryptsetup-package.mk.txt

    lvm2-minimal-package.mk.txt


    I am happy to provide patches for all the other architectures. With RPi2 and Wetek_Play i already did this a while ago. On Generic x86_64 i use this every day (my LE userdata is encrypted).


    Thanks for reading and hopefully considering it

    sky42


    ------------------------------