View previous topic :: View next topic |
Author |
Message |
Martin Cmelik n00b
Joined: 14 Oct 2010 Posts: 42 Location: Prague
|
Posted: Thu Oct 23, 2014 7:50 pm Post subject: Cryptsetup, initrd and static USE flag |
|
|
Hi,
I just realized that cryptsetup with "static" USE flag cant be compiled with gcrypt backend (which has been used till now).
Can someone please explain me why? Or which other backend is best to use and will be working with LUKS encrypted system partition?
The main thing is... I need initrd with LUKS support.
...is there a way how to make initramfs with LUKS support while Genkernel will compile its own cryptsetup binaries with static USE flag and system itself will have dynamically linked cryptsetup?
Thank you very much _________________
Code: | where there is a shell, there is a way |
|
|
Back to top |
|
|
gseba n00b
Joined: 02 Aug 2003 Posts: 59 Location: Romania
|
Posted: Mon Oct 27, 2014 12:07 pm Post subject: Re: Cryptsetup, initrd and static USE flag |
|
|
Martin Cmelik wrote: | is there a way how to make initramfs with LUKS support while Genkernel will compile its own cryptsetup binaries with static USE flag and system itself will have dynamically linked cryptsetup? |
Have you tried sys-kernel/genkernel-next instead of sys-kernel/genkernel?
It puts dynamic dependencies into ramdisk (like the libdevmapper.so shared library for /sbin/cryptsetup).
You then require the kernel crypt_root=/dev/sdaX parameter. |
|
Back to top |
|
|
Martin Cmelik n00b
Joined: 14 Oct 2010 Posts: 42 Location: Prague
|
Posted: Mon Oct 27, 2014 5:38 pm Post subject: Re: Cryptsetup, initrd and static USE flag |
|
|
gseba wrote: |
Have you tried sys-kernel/genkernel-next instead of sys-kernel/genkernel?
It puts dynamic dependencies into ramdisk (like the libdevmapper.so shared library for /sbin/cryptsetup).
You then require the kernel crypt_root=/dev/sdaX parameter. |
Hi,
Thank you, I was unaware of this.
In any case is there a way how to have LUKS support on standard genkernel, independently on systems build of cryptsetup?
Thank you _________________
Code: | where there is a shell, there is a way |
|
|
Back to top |
|
|
gseba n00b
Joined: 02 Aug 2003 Posts: 59 Location: Romania
|
Posted: Wed Oct 29, 2014 2:55 pm Post subject: Re: Cryptsetup, initrd and static USE flag |
|
|
Martin Cmelik wrote: | I just realized that cryptsetup with "static" USE flag cant be compiled with gcrypt backend (which has been used till now).
Can someone please explain me why? |
My previous post was also an answer to your "why": like you, it had me have cryptsetup without "static" USE flag, but that had me switch from genkernel to genkernel-next.
Why cant cryptsetup USE "static" flag for you? |
|
Back to top |
|
|
Martin Cmelik n00b
Joined: 14 Oct 2010 Posts: 42 Location: Prague
|
Posted: Wed Oct 29, 2014 5:44 pm Post subject: Re: Cryptsetup, initrd and static USE flag |
|
|
gseba wrote: | My previous post was also an answer to your "why": like you, it had me have cryptsetup without "static" USE flag, but that had me switch from genkernel to genkernel-next.
Why cant cryptsetup USE "static" flag for you? |
Hi,
I will try to use it, but I need to make a lot of tests, to be sure, that it will not ruin my auto-installer for Securix Linux, as now installation and future system upgrades highly depend on standard genkernel.
Thank you _________________
Code: | where there is a shell, there is a way |
|
|
Back to top |
|
|
gseba n00b
Joined: 02 Aug 2003 Posts: 59 Location: Romania
|
Posted: Wed Oct 29, 2014 6:34 pm Post subject: Re: Cryptsetup, initrd and static USE flag |
|
|
Martin Cmelik wrote: | I will try to use it, but I need to make a lot of tests, to be sure, that it will not ruin my auto-installer for Securix Linux, as now installation and future system upgrades highly depend on standard genkernel. |
Okay, I "leave you two alone"... There is always https://bugs.gentoo.org where you can solve your issue.
thank s. |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Wed Oct 29, 2014 7:36 pm Post subject: |
|
|
I compiled it with kernel backend. In my case it makes no difference whatsoever. |
|
Back to top |
|
|
Martin Cmelik n00b
Joined: 14 Oct 2010 Posts: 42 Location: Prague
|
Posted: Wed Oct 29, 2014 8:28 pm Post subject: |
|
|
frostschutz wrote: | I compiled it with kernel backend. In my case it makes no difference whatsoever. |
Cryptsetup developers as well as Gentoo developers will warn you, that with kernel backend all crypto operations might be slow...
info here: https://code.google.com/p/cryptsetup/wiki/Cryptsetup130 _________________
Code: | where there is a shell, there is a way |
|
|
Back to top |
|
|
Martin Cmelik n00b
Joined: 14 Oct 2010 Posts: 42 Location: Prague
|
Posted: Thu Oct 30, 2014 4:05 pm Post subject: Re: Cryptsetup, initrd and static USE flag |
|
|
gseba wrote: |
Have you tried sys-kernel/genkernel-next instead of sys-kernel/genkernel?
|
genkernel-next is working very well
thank you! _________________
Code: | where there is a shell, there is a way |
|
|
Back to top |
|
|
katfish Tux's lil' helper
Joined: 14 Nov 2011 Posts: 147
|
Posted: Sat Nov 01, 2014 6:07 am Post subject: |
|
|
I have two systems with luks encrypted root partitions, one stable the other one unstable.
Both boot well with genkernels initrds, cryptsetup not statical linked and gcrypt backend. |
|
Back to top |
|
|
N8Fear Tux's lil' helper
Joined: 15 Apr 2013 Posts: 140 Location: Berlin (Germany)
|
Posted: Sat Nov 01, 2014 6:51 pm Post subject: |
|
|
You can also include non-static cryptsetup in a custom initrd/initramfs: copy the binary and use ldd or lddtree to check which libs you also need to copy. Personally I can't see much performance degradation with using the kernel backend (though I haven't benchmarked (not even sure how)). |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Sat Nov 01, 2014 9:50 pm Post subject: |
|
|
Martin Cmelik wrote: | Cryptsetup developers as well as Gentoo developers will warn you, that with kernel backend all crypto operations might be slow... |
In Initramfs, all cryptsetup ever does is luksOpen and then it's gone. After luksOpen it's all kernel either way.
It doesn't matter one whit how fast or slow it is, as long as it still opens my containers fine (it does not take noticably longer - but then I don't use a stopwatch while booting either).
In your main system you can keep your regular dynamic cryptsetup with the standard useflags, or actually do your own benchmark (for PBKDF2 iterations per second). Turns out gcrypt is pretty slow for me. In fact, the slowest of all the alternatives... whyever is this the default?
Code: |
# cryptsetup benchmark
gcrypt: PBKDF2-sha512 643298 iterations per second
kernel: PBKDF2-sha512 891646 iterations per second
openssl: PBKDF2-sha512 976327 iterations per second
nettle: PBKDF2-sha512 1399967 iterations per second
|
|
|
Back to top |
|
|
|