Uwe Hermann | A slightly paranoid Debian developer

I've stumbled over Lars Wirzenius' article Debian Lessons (Subtitle: Project management lessons from the Debian project) today. The article is from 2000 (updated 2004), but is still very, very relevant nowadays. Here's the table of contents (reading this alone would already help many projects out there, I think):

• Make sure things scale up.
• Make sure the foundation is good.
• Document important things.
• Automate repetitive tasks when possible.
• Avoid single points of failure, especially for volunteers.
• Do not worry about time tables; keep goals realistic.
• Make it easy to work independently.
• Do not overload developers.
• Be open and keep things public.
• Make it easy to contribute.
• Some barrier to entry may be necessary for quality and security.
• Have leadership.
• Conflicts are natural, but mustn't get out of hand.
• Use a bug tracking system.
• Real world politics matter.
• Controversial issues will result in a flame war and often will never really end.
• Compensation helps keep people motivated.
• Never, ever, write a program to mail Debian developers automatically. Always make automatic mails opt-in.
• Don't make assumptions about people's background.

Make sure to read the whole article. This compilation of tips should prove useful for many community-driven Free Software project out there.

• Anthony Towns is the new Debian Project Leader (DPL). Congratulations! More info: detailed results, Well, crap, vote analysis. Voting participation sucked again, only 43% of the Debian developers voted.
• Your daily paranoia/depression: AT&T forwards all Internet traffic into NSA, US wants access to EU "data retention" data, Bush's plans for Iran.
• Proof of concept virus for Linux and Windows. Again.
• The new NVIDIA Linux drivers (1.0-8756) now support more GPUs, support suspend-to-disk, and compile on Linux >= 2.6.16 without requiring patches.

A few weeks ago I published a small HOWTO for using loop-aes to encrypt your hard drive, usb thumb drive etc.

As I have bought a new 300 GB external USB disk drive on Friday, I have tried something new this time: disk encryption using dm-crypt / LUKS. It has been suggested to me multiple times that dm-crypt is superior to loop-aes, however I didn't get a real reason. Yes, it doesn't require any kernel patches and is easier to setup. But has any serious cryptographer looked at it sharply, yet? Did it withhold his eye contact?

Anyways, here's how I encrypted my 300 GB drive. I largely followed the guide at the EncryptedDeviceUsingLUKS wiki page...

1. Make sure you run Linux 2.6.16 or better. Previous versions suffer from an implementation problem which affects the security of dm-crypt, see Linux Kernel dm-crypt Local Cryptographic Key Disclosure.
2. Enable the following options in your kernel:
   • Code maturity level options
     • Prompt for development and/or incomplete code/drivers
   • Device Drivers -> Multi-device support (RAID and LVM)
     • Device mapper support
     • Crypt target support
   • Cryptographic options
     • AES cipher algorithms
3. Overwrite the whole drive with random data in order to slow down attacks on the encryption. At the same time perform a bad blocks scan to make sure the hard drive is not going to die too soon:
   badblocks -c 10240 -s -w -t random -v /dev/sdb
   Replace /dev/sdb with whatever is correct on your system. If you're really paranoid, and are willing to wait one or two days, do this:
   dd if=/dev/urandom of=/dev/sdb
4. Install the required packages:
   apt-get install cryptsetup
   The current cryptsetup in Debian unstable already supports LUKS, which was not the case a while ago, if I'm not mistaken. So Debian testing or stable will most probably not work!
5. Create one or more partitions on the drive:
   cfdisk /dev/sdb
   I created one big 300 GB partition, /dev/sdb1.
6. Setup LUKS:
   cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb1
   Enter a good passphrase here. Don't spoil the whole endeavour by chosing a stupid or short passphrase.
7. Open the encrypted device and assign it to a virtual /dev/mapper/samsung300gb device:
   cryptsetup luksOpen /dev/sdb1 samsung300gb
8. Create a filesystem on the encrypted device:
   mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/samsung300gb
   I used ext3 with some optimizations, see mke2fs(8).
9. Mount the encrypted partition:
   mkdir /mnt/samsung300gb
mount /dev/mapper/samsung300gb /mnt/samsung300gb
   That's it. Everything you write to /mnt/samsung300gb will be encrypted transparently.
10. For unmounting use:
    umount /mnt/samsung300gb
cryptsetup luksClose /dev/mapper/samsung300gb

After unmounting, nobody will be able to see your data without knowing the correct passphrase. Drive is stolen? No problem. Drive is broken, and you want to send it in for repair without the guys there poking in your data? No problem. You leave the USB drive at home and some jerk breaks into your house, steals your drive, rapes your wife, and kills your kids? No problem. Well, sort of, but you get the idea ;-)

There's more things you can do, thanks to LUKS: have multiple passphrases which unlock your data, change/add/remove passphrases as you see fit, etc.

Comments?

Update 2006-04-17: You have to use cryptsetup from unstable if you want LUKS support. cryptsetup in testing does not support this (thanks Ariel).

Linus Torvalds is a Debian developer now. No, really.

I recently had trouble installing/running Debian on my Sun Sparc Ultra 10. Lessons learned:

1. There seems to be a huge crowd of people out there who own SPARCs (lots more than I would have expected)! I received tons of helpful comments, thanks everyone!
2. Booting into single-user mode with "boot -s" requires you to enter the root password. However, you can use "boot -b", an undocumented feature, to do the equivalent of "init=/bin/sh". It doesn't quite work for me, I get "Cannot write to /foo/bar" errors (and I'm then asked to provide the root password, very funny), but that might be an unrelated problem...
3. The problems I experienced (screen turns black, nothing happens) had a simple reason: there are two video cards in the box, but I only had a monitor attached to one of them. As things go, the bootloader used exactly the one where the screen was attached, but as soon as Debian started to boot, it would use the other video card. Which had no monitor attached. Hence I would not see anything. The installer was waiting for me to choose a keyboard layout and I was waiting for the installer to do just something... I suck. Solution: attach second monitor. Smarter solution: use some boot parameters to choose the video card I want to use (todo).
4. None of the Debian boot images come with cfdisk or just plain fdisk (I tested businesscard, netinst, and the full install CD). Why? Do you use some other tool on SPARCs? Which?
5. I cannot seem to mount my disks. There's no /dev/hda* (should I create them with mknod?) and trying to mount /dev/ide/* fails with some strange errors. I guess I need to read more docs, both SPARC-related as well as udev-related.

In related news: Sun has released the design of the OpenSparc T1 under the terms of the GPL. Great news, thanks Sun!