Web lists-archives.com

Re: How could I install ecryptfs-utils on Buster




On 4/5/19 8:07 AM, Pierre Fourès wrote:
Hi,

I'm in the process of rebuilding new virtual instances for the Desktop
user's of my company. We provides these instance in order to be able
to run the validated software stack on non-validated software stacks
(ie. running a virtual box inside a custom installed Linux, or on OSX
or Windows). Theses virtual machines usually ends on laptops. In order
to keep safe the company's data in case of a laptop being stolen, we
set up an encrypted home with ecryptfs-utils.

More over, the install process of Desktop machines is standardized and
shared with bare-metal machines. I install all through deboostrap
(from the validated stack we use on our servers). In order to run the
Desktops, and because of new hardware with video cards not supported
in Stretch, we took the move to Buster a bit earlier an went into the
testing wonderland. This is mostly just a dist-upgrade of the current
validated stack. As a side effect, this helps to pre-validate all our
stack on Buster.

But I just discovered today that ecryptfs-utils is not longer part of
Buster since 2018-12-19. To my understanding, this is due to bug [1]
which perfectly justify the removal of ecryptfs-utils from Buster.
This bug don't really affect our use case scenario as we only target
to protect the data at rest only. I would prefer a bug-free solution,
but we find acceptable to keep on using ecryptfs, especially in
contrast of taking the time to configure something else. I thus
solicit your advice to devise a solution to make it installable again.

I would like a « simple and easy » solution. Here is the options I see :

- Install ecryptfs-utils before proceeding the dist upgrade to buster,
so I have the package installed. But won't Buster removes it, as
feared in [2] ? I have also prepared some virtual instances for our
users and I would prefer not to throw them away to start anew if
possible.

- Builds the virtual instance on Stretch only, not Buster. But I
wouldn't like it much as it would make a split of versions on the
Desktops, and then would add maintenance. More over, user would not be
at ease with different versions of what they use depending if their
are on their bare-metal machine (requiring Buster) or on their virtual
instance (requiring Stretch). Also, with staying on Stretch, when
Buster turn stable stable, then oldstable, how shall I handle the fact
that Stretch will slowly slip in retirement and that Buster as no
alternative, so I can't make the move.

- Install ecryptfs-utils from Sid ? Isn't it risky to take it from Sid
? Especially for such a package.

- Some other approach I not foresee, like maybe add the Stretch
repository in sources.list in order to grab it from there ? It it
feasible ?

I think I would prefer grab the package from Stretch than from Sid.
Both are right now the same versions (as was the version for Buster),
but taking it from Strech would grant me it will not change. I also
prefer not adding the Sid repos in the sources.list. I already was
pretty reticent to made the bump to testing, so to take the plunge to
Sid is way to extreme. Clearly, what would be best would be to proceed
with a Buster already installed system.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765854
[2] https://www.reddit.com/r/debian/comments/asei6c/ecryptfsutils_in_buster/

Regards,
Pierre.

AFAIK dm-crypt is the canonical disc encryption technology on Linux (see crypttab(5) and cryptsetup(8)). I like the fact that it operates at the device level, so everything on an encrypted disc or partition is automatically and inescapably encrypted. File system level encryption, such as ecryptfs(7), might make sense for cloud directories or sneaker-net media. I use ccrypt(1) for individual files, but vim(1) has an encrypted mode that is very appealing for certain use-cases.


David