Re: [RAUC] Stumped, have a appfs partition that is encrypted, how to get RAUC to update it

[Brian Hutchinson <b.hutchman@gmail.com>]

[-- Attachment #1.1: Type: text/plain, Size: 2617 bytes --]

On Thu, Jul 22, 2021 at 8:55 AM Brian Hutchinson <b.hutchman@gmail.com>
wrote:

>
> Hi Jan,
> D
> On Thu, Jul 22, 2021 at 8:16 AM Jan Lübbe <jlu@pengutronix.de> wrote:
>
>> On Thu, 2021-07-22 at 08:11 -0400, Brian Hutchinson wrote:
>> > Hello again,
>>
>> Hi!
>>
>> > I'm wanting to have a rootfs that is read-only SquashFS and a appfs
>> that is
>> > encrypted.
>>
>> I assume you want to have a A/B appfs.
>>
>
> Yes, have A/B for Kernel, dtb, rootfs and appfs.
>
>
>> How do you encrypt your appfs? dm-crypt or fscrypt?
>>
>
> So process in factory will set everything up on eMMC the first time with:
>
> cryptsetup luksFormat /dev/mmcblk2p1 & /dev/mmcblk2p2
> cryptsetup luksOpen /dev/mmcblk2p1 crypt_appfs1 (same thing for
> /dev/mmcblk2p2)
> mkfs.ext4 /dev/mapper/crypt_appfs1 & crypt_appfs2
>
> Then in normal use just have a script that figures out which slots we are
> starting, A or B to determine with appfs partition to use and cryptsetup
> luksOpen then mount /dev/mapper.
>
>
>
>> > And I'm kind of stumped.  I've searched the Documentation and archives
>> and it
>> > doesn't look like RAUC has native support for encrypted partitions but
>> in the
>> > archives I saw where one gentleman needed to create encrypted bundles
>> so this
>> > might be similar to my problem.
>>
>> Bundle encryption is independent of encryption in the rest of the system.
>>
>> > I know a bundle can have pre and post triggers so maybe I can use those
>> to
>> > cryptsetup luksOpen the partition and then mount it and then RAUC can
>> do it's
>> > normal thing ... but I've not researched that enough to know if that's
>> the way
>> > to go so thought I'd ask for some guidance to point me in the right
>> direction
>> > first.
>>
>> If you use dm-crypt, you can just use the device-mapper path for the
>> slot's
>> device= propert in system.conf. That way, the encryption is transparent
>> to rauc.
>>
>
> Not following how that would work since the inactive appfs would be
> "closed/encrypted".
>
> Thanks!
>
> Regards,
>
> Brian
>
>
Sorry, forgot to reply-all to last message.  So when I did my luksFormat
etc., I used a key-file that I created with openssl rand -base64 32 >
luks_appfs_key.  Are you telling me that if I add a key and put it in the
rauc key ring in /etc/rauc and in my system.conf refer to my appfs by
/dev/mapper name rauc will know what to do to "open" the inactive appfs to
do the update?

I guess I'm hung up on how the "open" will take place and how to tell rauc
about the key to use etc.

Regards,

Brian

[-- Attachment #1.2: Type: text/html, Size: 4700 bytes --]

[-- Attachment #2: Type: text/plain, Size: 66 bytes --]

_______________________________________________
RAUC mailing list