| View previous topic :: View next topic |
| Author |
Message |
Martin Cmelik
n00b
Joined: 14 Oct 2010
Posts: 42
Location: Prague
|
 Posted: Thu Oct 23, 2014 7:50 pm Post subject: Cryptsetup, initrd and static USE flag |
 |
|
Hi,
I just realized that cryptsetup with "static" USE flag cant be compiled with gcrypt backend (which has been used till now).
Can someone please explain me why? Or which other backend is best to use and will be working with LUKS encrypted system partition?
The main thing is... I need initrd with LUKS support.
...is there a way how to make initramfs with LUKS support while Genkernel will compile its own cryptsetup binaries with static USE flag and system itself will have dynamically linked cryptsetup?
Thank you very much
_________________
| Code: | | where there is a shell, there is a way |
|
|
| Back to top |
|
 |
gseba
n00b
Joined: 02 Aug 2003
Posts: 59
Location: Romania
|
| Posted: Mon Oct 27, 2014 12:07 pm Post subject: Re: Cryptsetup, initrd and static USE flag |
|
|
| Martin Cmelik wrote: | | is there a way how to make initramfs with LUKS support while Genkernel will compile its own cryptsetup binaries with static USE flag and system itself will have dynamically linked cryptsetup? |
Have you tried sys-kernel/genkernel-next instead of sys-kernel/genkernel?
It puts dynamic dependencies into ramdisk (like the libdevmapper.so shared library for /sbin/cryptsetup).
You then require the kernel crypt_root=/dev/sdaX parameter. |
|
| Back to top |
|
|
Martin Cmelik
n00b
Joined: 14 Oct 2010
Posts: 42
Location: Prague
|
| Posted: Mon Oct 27, 2014 5:38 pm Post subject: Re: Cryptsetup, initrd and static USE flag |
|
|
| gseba wrote: |
Have you tried sys-kernel/genkernel-next instead of sys-kernel/genkernel?
It puts dynamic dependencies into ramdisk (like the libdevmapper.so shared library for /sbin/cryptsetup).
You then require the kernel crypt_root=/dev/sdaX parameter. |
Hi,
Thank you, I was unaware of this.
In any case is there a way how to have LUKS support on standard genkernel, independently on systems build of cryptsetup?
Thank you
_________________
| Code: | | where there is a shell, there is a way |
|
|
| Back to top |
|
|
gseba
n00b
Joined: 02 Aug 2003
Posts: 59
Location: Romania
|
| Posted: Wed Oct 29, 2014 2:55 pm Post subject: Re: Cryptsetup, initrd and static USE flag |
|
|
| Martin Cmelik wrote: | I just realized that cryptsetup with "static" USE flag cant be compiled with gcrypt backend (which has been used till now).
Can someone please explain me why? |
My previous post was also an answer to your "why": like you, it had me have cryptsetup without "static" USE flag, but that had me switch from genkernel to genkernel-next.
Why cant cryptsetup USE "static" flag for you? |
|
| Back to top |
|
|
Martin Cmelik
n00b
Joined: 14 Oct 2010
Posts: 42
Location: Prague
|
| Posted: Wed Oct 29, 2014 5:44 pm Post subject: Re: Cryptsetup, initrd and static USE flag |
|
|
| gseba wrote: | My previous post was also an answer to your "why": like you, it had me have cryptsetup without "static" USE flag, but that had me switch from genkernel to genkernel-next.
Why cant cryptsetup USE "static" flag for you? |
Hi,
I will try to use it, but I need to make a lot of tests, to be sure, that it will not ruin my auto-installer for Securix Linux, as now installation and future system upgrades highly depend on standard genkernel.
Thank you
_________________
| Code: | | where there is a shell, there is a way |
|
|
| Back to top |
|
|
gseba
n00b
Joined: 02 Aug 2003
Posts: 59
Location: Romania
|
| Posted: Wed Oct 29, 2014 6:34 pm Post subject: Re: Cryptsetup, initrd and static USE flag |
|
|
| Martin Cmelik wrote: | | I will try to use it, but I need to make a lot of tests, to be sure, that it will not ruin my auto-installer for Securix Linux, as now installation and future system upgrades highly depend on standard genkernel. |
Okay, I "leave you two alone"... There is always https://bugs.gentoo.org where you can solve your issue.
thank s. |
|
| Back to top |
|
|
frostschutz
Advocate
Joined: 22 Feb 2005
Posts: 2977
Location: Germany
|
| Posted: Wed Oct 29, 2014 7:36 pm Post subject: |
|
|
| I compiled it with kernel backend. In my case it makes no difference whatsoever. |
|
| Back to top |
|
|
Martin Cmelik
n00b
Joined: 14 Oct 2010
Posts: 42
Location: Prague
|
| Posted: Wed Oct 29, 2014 8:28 pm Post subject: |
|
|
| frostschutz wrote: | | I compiled it with kernel backend. In my case it makes no difference whatsoever. |
Cryptsetup developers as well as Gentoo developers will warn you, that with kernel backend all crypto operations might be slow...
info here: https://code.google.com/p/cryptsetup/wiki/Cryptsetup130
_________________
| Code: | | where there is a shell, there is a way |
|
|
| Back to top |
|
|
Martin Cmelik
n00b
Joined: 14 Oct 2010
Posts: 42
Location: Prague
|
| Posted: Thu Oct 30, 2014 4:05 pm Post subject: Re: Cryptsetup, initrd and static USE flag |
|
|
| gseba wrote: |
Have you tried sys-kernel/genkernel-next instead of sys-kernel/genkernel?
|
genkernel-next is working very well
thank you!
_________________
| Code: | | where there is a shell, there is a way |
|
|
| Back to top |
|
|
katfish
Tux's lil' helper
Joined: 14 Nov 2011
Posts: 147
|
| Posted: Sat Nov 01, 2014 6:07 am Post subject: |
|
|
I have two systems with luks encrypted root partitions, one stable the other one unstable.
Both boot well with genkernels initrds, cryptsetup not statical linked and gcrypt backend. |
|
| Back to top |
|
|
N8Fear
Tux's lil' helper
Joined: 15 Apr 2013
Posts: 140
Location: Berlin (Germany)
|
| Posted: Sat Nov 01, 2014 6:51 pm Post subject: |
|
|
| You can also include non-static cryptsetup in a custom initrd/initramfs: copy the binary and use ldd or lddtree to check which libs you also need to copy. Personally I can't see much performance degradation with using the kernel backend (though I haven't benchmarked (not even sure how)). |
|
| Back to top |
|
|
frostschutz
Advocate
Joined: 22 Feb 2005
Posts: 2977
Location: Germany
|
| Posted: Sat Nov 01, 2014 9:50 pm Post subject: |
|
|
| Martin Cmelik wrote: | | Cryptsetup developers as well as Gentoo developers will warn you, that with kernel backend all crypto operations might be slow... |
In Initramfs, all cryptsetup ever does is luksOpen and then it's gone. After luksOpen it's all kernel either way.
It doesn't matter one whit how fast or slow it is, as long as it still opens my containers fine (it does not take noticably longer - but then I don't use a stopwatch while booting either).
In your main system you can keep your regular dynamic cryptsetup with the standard useflags, or actually do your own benchmark (for PBKDF2 iterations per second). Turns out gcrypt is pretty slow for me. In fact, the slowest of all the alternatives... whyever is this the default? 
| Code: |
# cryptsetup benchmark
gcrypt: PBKDF2-sha512 643298 iterations per second
kernel: PBKDF2-sha512 891646 iterations per second
openssl: PBKDF2-sha512 976327 iterations per second
nettle: PBKDF2-sha512 1399967 iterations per second
|
|
|
| Back to top |
|
|
|
Portage & Programming
