Snappy + root encryption

Tyler Hicks tyhicks at canonical.com
Wed Aug 24 16:30:54 UTC 2016 

On 08/23/2016 06:47 AM, Xavier Pegenaute M2M wrote:
> Hi Mark,
> 
> actually, our goal is to provide hardware to be delivered on costumer
> premises but for this we need an extra layer of security. This is the
> reason we are considering the encryption solution.
> 
> If it is possible our first and preferred solution is to encrypt as much
> as possible starting from rootfs.
> 
> I guess I should port the cryptsetup package and dependencies to snap,
> but since I saw in your mailing list some references I wanted to be sure
> this is not already done or being in process.
> 
> As a second step, AFAIK, I should modify the boot process to include
> support for partition decryption which again I am not sure this is
> already supported on snappy (crossing fingers xD ).

Will your devices have a display and a keyboard? Will a human always be
present during the boot process (after a planned or unplanned reboot) to
enter the password?

If the answer is 'no' to either of those questions, there's more work to
do in order to provide secure storage of the encryption key in a way
that makes it automatically accessible during the boot process.

Let us know what your needs are and we can at least capture the use case
and requirements in a feature request bug so that we can try to support
you when designing the storage encryption solution in the platform
itself. Thanks!

Tyler

> 
> Regards
> 
> On 23/08/16 13:21, Mark Shuttleworth wrote:
>> Hi Xavier
>>
>> With snaps on classic (deb-based) Linux there have been some bugs
>> related to encrypted home directories, not sure if those are fixed yet
>> but they are definitely in progress.
>>
>> On Ubuntu Core (where the whole system is a collection of snaps, there
>> are no debs by default) it should be possible to have an encrypted disk.
>> The main question would be what your expectations of the boot process
>> would be. Most people who want Ubuntu Core are doing so for distributed
>> devices where there isn't going to be a human around if the machine
>> reboots.
>>
>> Mark
>>
>> On 23/08/16 06:26, Xavier Pegenaute M2M wrote:
>>> Hi all,
>>>
>>> I am interested on building a snappy system with encryption to rootfs,
>>> I've been looking around but I didn't find any document or guide about
>>> it. Does snappy support it? If this is the case some one could point
>>> me to some info about it?
>>>
>>> Regards
>>>
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20160824/22b349a3/attachment.sig>

More information about the Snapcraft mailing list