loop-aes-utils for Debian
-------------------------

  This package is based on Debian util-linux and the loop-AES 
  patch for util-linux. It is intended to be used in combination
  with a loop-AES kernel module.

  You can find detailed documentation for loop-AES in packages
  loop-aes-modules-$(KVERS) and loop-aes-source.

File system checks on boot
--------------------------

  This package includes an rcS.d init script to automatically
  check file systems on loop-encrypted files/devices at boot
  before they will be setup by mount. The script is not enabled
  by default, but it is recommended that you enable it so that
  fsck can regularly be done.

  To enable file system checks on boot, change CHECKFS_LOOP_ENABLE
  in /etc/default/checkfs-loop to "yes". The script will check
  all file systems that have a loop=/dev/loop$n option in their
  entry in /etc/fstab and do not have options "noauto" or "sw".
  It otherwise works like the normal file system check.

Encrypted root fs
-----------------

  This package integrates with initramfs-tools so that an initramfs
  created with initramfs-tools will be able to handle a root fs on an
  encrypted (or not) loop device. This needs initramfs-tools version
  0.81 or later.

  This support is enabled by default if your root device in /etc/fstab
  has a "loop=/dev/loopN" option.

  You can forcily enable the support by setting INITRAMFS_LOOPAES in 
  /etc/initramfs-tools/initramfs.conf or in the shell calling
  mkinitramfs to "yes". The recommended setting is "auto". You can 
  also forcibly disable the support with "no". An example of a reason
  to force it off would be because you have custom scripts to handle a
  specific situation in your initramfs (e.g. reading the keys from a
  removable media, from the network, ...).

  Wether you set INITRAMFS_LOOPAES in the shell before running
  mkinitramfs or in /etc/initramfs-tools/initramfs.conf, don't forget
  to export it. For example:

   INITRAMFS_LOOPAES=no
   export INITRAMFS_LOOPAES

  When support is forced on, support for all ciphers is included; when
  automatically enabled, only the necessary cipher module is included
  in the initramfs.

  The entry for the root fs in /etc/fstab should look like:
  /dev/hda5	/	ext3	loop=/dev/loop5,encryption=AES,gpgkey=/root/keys/loopaes.gpg	0	0
  not
  /dev/loop5	/	ext3	defaults	0	0

  If the options include a "gpghome=" and/or a "gpgkey=", these will
  be copied into the initramfs, to /keys/rootkeyfile.gpg and /.gnupg,
  respectively; if you supply a "gpghome=" option, it is recommended
  that it point towards a specially prepared minimal directory rather
  than your usual "~/.gnupg/".

  You can override the loop and crypto related options of /etc/fstab
  at boot time by setting the kernel command-line "loopaesopts="
  option from your boot leader. The syntax is the same as in the
  options column of /etc/fstab. Any file path will be interpreted in
  the initramfs, obviously. For example:
  "loopaesopts=loop=/dev/loop5,encryption=AES,gpgkey=/keys/rootkeyfile.gpg"

  To minimise risks of losing access to your computer in case of
  root-on-loopaes, it is recommended to keep your (password-protected)
  keys to your root partition elsewhere than in the said partition. In
  this manner, you can still access your partition even if the keys
  don't get copied into the initramfs for a reason or another
  (configuration error, bug in our code, ...). /boot/keys is a good
  choice. It also doesn't reduce security as keys will be in the
  initramfs in /boot during normal operations anyway. Combine this
  with INITRAMFS_LOOPAES=yes to always have the necessary modules and
  loop-aes utilities available in the initramfs shell and/or being
  able to use the loopaesopts kernel command-line option.

  When doing the boot manually from the initramfs shell, remember you
  don't have the loop-aes-utils version of mount; you need to use
  /sbin/losetup and then "mount /dev/loopN /root".

 -- Max Vozeler <xam@debian.org> and Lionel Elie Mamane <lmamane@debian.org>
