Feedback on Lab 22.2 Encrypted Swap

KonstantinA

I just wanted to point out that at step 5 (a) it gives an example config for /etc/crypttab. Specifically:

swapcrypt /dev/sda11 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256

Because i read the man pages as extensively as i can, i noticed that:

1) From man crypttab "...note however that LUKS requires a persistent key and therefore does not support random data keys"
2) From man cryptsetup "The current default in the distributed sources is "aes-cbc-essiv:sha256" for plain dm-crypt and "aes-xts-plain64" for LUKS."

So it seems that both /dev/urandom and cipher don't (or won't) work. I know that it mentions that it is an example but it could cause trouble to some.

i didn't tyr to replicate the above to see if it will work at all, since i had already done twice the 22.1 lab, with 2 virtual drives (one with boot mount, and one with not), and i had to troubleshoot, since i did a mistake of "sudo vim crypttab" instead of "sudo vim /etc/crypttab" (you guess what happened, system didn't boot, and ended up in emergency mode. Thankfully i found the error in the first couple of minutes).

The above is from the last update March 27th, 2020.

coop

I don't know what distribution or version of crypttab you have. On the machine I'm currently on there is no such statement, and in fact it says: F"or swap encryption, /dev/urandom or the hardware device /dev/hw_random can be used as the password file" and in the example section at the end it says:
swap /dev/sda7 /dev/urandom swap
This is RHEL 8, and the man page says "systemd 239" at the end and the rpm is cryptsetup-2.2.0-2.el8.x86_64

So whether you are using and older or newer version I don't know. In general anything with either crypt or pam stuff tends to be distro to distro dependent in my experience. This is one reason we eliminated the pam lab because every time we fixed it
for one distro (say ubuntu) it broke it on centos.

luisviveropena

Hi KonstantinA ,

Well, I don't see an error to report. It's useful to know what distro and version the person is working on, as well the kernel version. So in case if there is any error, one can try to replicate the error.

And as Coop said, anything related to cipher changes depends on the distro you are working on.

Regards,
Luis.

KonstantinA

You are right. What i posted originally comes from Ubuntu with cryptsetup 2:2.0.2-1ubuntu1.1, while on Fedora's cryptsetup-2.3.0-1.fc31.x86_64, the manual pages have changed.
So it is related to the cryptsetup version.