Deploy cryptsetup-reencrypt in Heads to permit QubesOS image deployment in organization

[tlaurion]

Technical specifics discussion here and here for rationale discussion which led to this.

Resumé:
QubesOS, Heads and Purism tried to collaborate to easily deploy QubesOS on trustworthy hardware. To do so, Purism and QubesOS created an OEM install disk that delayed OS installation after the user encrypted his disk.

The approach didn't take off, and from what I understand, that OEM install approach got dropped. @marmarek suggested that cryptsetup-reencrypt could be used but that approach was not really considered. Heads could reencrypt OEM/organization's installation offline. I'm testing that approach.

@kakaroto @kylerankin : Could you document what didn't take off with the OEM disk approach?

[tlaurion]

To make cryptsetup-reencrypt available in heads:

diff --git a/modules/cryptsetup b/modules/cryptsetup
index e81d356..4cea7f3 100644
--- a/modules/cryptsetup
+++ b/modules/cryptsetup
@@ -15,6 +15,7 @@ cryptsetup_configure := ./configure \
 	--host i386-elf-linux \
 	--prefix "/" \
 	--disable-gcrypt-pbkdf2 \
+	--enable-cryptsetup-reencrypt \
 	--with-crypto_backend=kernel \
 
 # but after building, replace prefix so that they will be installed
@@ -28,6 +29,7 @@ cryptsetup_target := \
 
 cryptsetup_output := \
 	src/.libs/cryptsetup \
+	src/.libs/cryptsetup-reencrypt \
 	src/.libs/veritysetup \
 
 cryptsetup_libraries := \

[tlaurion]

Reencrypting possible after wiping out slot 1 used by TPMTOTP released key ( cryptsetup luksKillStlot /dev/sda2 1)

[tlaurion]

cryptsetup-reencrypt /dev/sda2 slows down to an average of 54MiB/s after a while and cruises stable there. Might need to tweak reencrypt settings with something like cryptsetup-reencrypt -B 32 --use-directio /dev/sda2.

[tlaurion]

Result report:

cryptsetup-reencrypt /dev/sda2: reencryption took 56m to reencrypt 151600MiB at an everage speed of 45.4 MiB/s
cryptsetup-reencrypt -B 32 --use-directio /dev/sda2 : reencryption took 25m to reencrypt 151600 MiB at an average speed of 98.3 MiB/s

[tlaurion]

From @kylerankin:

I'd love to have an OEM-ready Qubes installer. The challenge with Qubes OEM images in the past was having resources with the expertise to build it. The Qubes team could do it but you would need to be willing to set up a consulting agreement with them and fund the effort.

[osresearch]

Was this resolved by merging #464 or is there more to be done?

[tlaurion]

#475 a whiptail menu permitting to reencrypt drive is still missing.

[tlaurion]

Included in #511

[tlaurion]

fixed in #551