[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Block device encryption support



On Fri, 2007-11-09 at 17:33 -0600, David Lehman wrote:
> I've made an initial attempt at support for creating LUKS-encrypted
> partitions at install time. A patch is available here:
> 
>   http://dlehman.fedorapeople.org/anaconda-fscrypto-20071109.patch

Okay, I haven't actually tried it as my current tree is a bit muddled
with the resizing patch, but I wanted to be sure to at least look over
the patch here and provide some feedback.

* Some of the code is obviously forward-looking (the cryptodev
registering in particular).  Which is fine, but it'd probably be better
to hold off on those bits from an initial commit
* I'm a little unsure about adding the crypto dev to the fsset.Device
object.  I wonder if instead it's cleaner to just integrate the crypto
code into the Device object.  But I'm on the fence here I think
  * If we go this route, NullCrypto is probably better than Passthrough
* Multiple different types of crypto block devices seems like it's going
to end up being a UI nitemare.  We should pick one path rather than
trying to support everything under the sun
* Is the filesystem.supportsEncryption attribute really needed?  The
filesystem doesn't have to really support it at all as it's all done at
the block level
* The UI is definitely along the right lines, although I'm not convinced
about the passphrase prompting.  Also, the code would be cleaner if it
wasn't trying to support multiple ways of encryption :)
* The sanity checking should probably be combined a bit and likely in
partitions.sanityCheckAllRequests() as that's where we do other checks
for, eg, /boot not being on a PV

Overall, though, this looks very good and promising.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]