Main Inclusion Report for cryptsetup

Summary

cryptsetup is a highly desirable package. Unfortunately the quality is not ideal but I think the problems are manageable.

Requirements

1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/c/cryptsetup, available for all supported architectures

2. Rationale:

   • Used in LTSP clients to create encrypted swap on the fly.
   • We would like to provide encrypted swap by default as soon as possible.
   • We want to provide a way to setup encrypted filesystems at install time.
   • More and more server and laptop setups include (or should use) encrypted filesystems.

3. Security:

   • No CVE entries.

   • No Secunia history.

   • Users of cryptsetup become exposed to problems with underlying machinery including particularly dm-crypt (the kernel support). dm-crypt has had a local vulnerability http://www.securityfocus.com/bid/16301 (this is a probably-theoretical problem which if successfully exploited gives the attacker the disk encryption key but which appears not to constitute a more worrying kind of hazard).

   • No other specific security problems are known, although there are many situations when careless use of disk encryption may give a false sense of security.
   • No set-id binaries. The cryptsetup binary needs to run as root to work properly, and generally this is done in the initramfs or during local filesystem mounting.
   • No networking. The only hostile data that this code comes into contact with is potentially hostile block device contents, against which the whole operating system is already very weak.

4. Quality assurance:

   • Package works out of the box without configuration in many setups. However, there are some difficulties with udev and races because there are no proper arrangements for running cryptsetup out of udev. This is a nontrivial problem and is currently solved in an ad-hoc manner - there's a simple "wait for the container to appear" approach in the initramfs which currently works in most scenarios, and we use explicit invocation of cryptsetup elsewhere.
   • Package does not ask any questions during installation.

   • Debian bugs show some potential problems including a data loss possibility when attempting to resize filesystems. The package does appear to be fairly widely used judging by the wide variety of submitters in the Debian BTS.

   • maintenance in Debian seems moderately active.

   • Ubuntu bugs show a fair few bugs but no showstoppers.

   • upstream is very quiescent; there is no upstream bug tracker.

   • This package does not deal with hardware directly and there is no problem with specific hardware support; however, specific hardware setups may tickle udev races (see above).
   • Cursory code review done by the editor of this revised report. The code quality is not excellent and in particular the diagnostics are a bit poor ("it didn't work"), but no worse than much other software we have in main. We can cope with this for a tool of this importance.
   • The package currently does not support an encrypted but separate /usr partition. This defect is not trivial to remedy because cryptsetup needs libgcrypt and libgpg-error which are installed in /usr.

5. Standards compliance:

   • Meets the FHS and Debian Policy. The use of /lib/cryptsetup/ for shell script functions etc. is idiosyncratic but IMO justified in this case.

   • Meets Debian library packaging guide standards.

   • Packaging is a mixture of manual and debhelper, and is moderately reasonable. The package uses dpatch but has no patches!

6. Dependencies:

   • All in main (Gutsy package details). Notable dependencies are dmsetup (and libdevmapper), libgcrypt, libgpg-error0 , libpopt0 and libuuid1.

Reviewers

Review report rewritten by Ian Jackson 30.8.07.

Following second opinion from Colin Watson, approved for Ubuntu main by Ian Jackson 30.8.07.