phillip bailey's picture

I'm currently working on a project that involves the deployment of of some applications inside a hostile environment. Using Turnkey linux I've achieved all the tasks required to have a secure distribution, except that I need to set up a full encrypted file system.

In the di-live installer, unfortunately I didn't find the way to enable this feature, but looking a bit further into /usr/lib/di-live.d/42partman-base  seem it is the right place to enable this feature. I'm kinldy asking for some hint and tips enable the whole FS encryption in turnkey Linux.

Thanks for the awesome work with Turnkey.

Phillip Bailey
 

Forum: 
Alon Swartz's picture

I've never done this before, so I can't give you a step-by-step, but you did find the correct place to enable encryption (42partman...)

di-live leverages d-i (debian-installer) to do the heavy lifting, which is used by Debian and Ubuntu. These links (1, 2) might help.

In a nutshell, you need to preseed d-i partman with the configuration you want in the di-live hook, and then let partman take care of the details.

phillip bailey's picture

Alon,

thanks for the update, today I'll try to get my fingers dirty with partman.

phillip bailey's picture

Hi Alon,

things are getting hard with di-live an partman, there's any way to avoid the di-live heavy lifting during the disk partitioning?.


Thanks,

Phillip

phillip bailey's picture

Hi Alon,

I know that you I've invested a lot of time writing di-live, I'm asking if there's a way to disable it and go with a normal debian installer, because things with the encrypted file system and di-live a getting pretty messed up..

Phillip

Alon Swartz's picture

Not really. di-live was developed to provide the ability to install a "live" debian based system to the harddisk. The debian-installer itself doesn't have that ability.

With enough tweaking you should be able to disable preseeding and enable all the d-i partman recipes for advanced usage scenarios (like full file-system encryption). You might need to install some dependencies though, as I said above, I'm not sure as I've never tried myself...

DLH's picture

Alon

 

you guys products are awesome but currently I cannot use them in production and sometimes not even in dev environments until we can achieve whole disk encryption with the installer... Id love to see this feature added as it has become de facto standard where I work now

thanks

 

doug


Jeremy Davis's picture

Have a look here, although I have no idea when an option like that will be implemented.

If you are really keen on this then I suggest that you consider forking di-live.

Ole Rasmussen's picture

The whold disk encryption is such a must have now a days, that without it Turnket Linus is not a serious bid in a production environment.
Personally I do think you should focus on this feature as a top priorety before anything else.

I wote for a rapid implementation

/Ole

Ole Rasmussen's picture

It's more than a year gone now. Any news on this?

Jeremy Davis's picture

Unfortunately not...

I personally would love to have this included, but unfortunately, there are only so many hours in the day and we have limited resources.

It's also worth keeping in mind that the value of disk encryption on a "always on" server, is pretty limited (encryption only protects the data "at rest"; i.e. when it's off). The fact that most TurnKey servers don't even run on real hardware (i.e. mostly they're run as VMs), means that there isn't really any advantage to disk encryption for 99% of our users.

Also, as we're fairly small team with limited resources we have to always keep in mind that saying yes to one thing, means saying no to a million other things.

So I really hope that we might get to this one day, but I have no idea when and the unfortunate reality is that unless someone steps up to take care of it (either via doing the work or paying someone to do the work), then there is a chance that it may be literally years before we get to it! :(

It seems that this is an important feature for you. If you are particularly interested in seeing this pushed forward and don't have the time/energy/knowledge to look into developing it yourself, perhaps you'd be interested in sponsoring work on it? We won't have any spare cycles anytime soon, but we would probably be open to contribute to contracting a freelancer to do the work if you (and/or others) are willing to throw in?! I'm not sure how much we could contribute, but we could look at getting a quote if you're keen? Then we'd at least have a ballpark. In my experience, freelance open source developers will give a bit of a discount for open source too. It's only a random guess, but I reckon we could probably get it done (or at least close) for something in the vicinity of $1000-$2000. So I guess it's how keen you are?

Otherwise if that isn't an option, I have no idea when we might get to it. The unfortunate reality with this sort of thing is that we have a constant stream of new things that we need to do, so getting back to "cool features" is always a struggle.

I hope that isn't too disheartening for you. But I wanted to give you a really clear insight...

It's also worth noting, that if encryption is important to you, you could configure your disk(s) to be encrypted after install yourself if you wished. I've never done it and don't know exactly what is required, but I know it's possible. If you go that path instead, it'd be awesome if you could post back with instructions.

Add new comment