[opensuse-security] How does one convert from /etc/cryptotab to /etc/crypttab
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, According to the release notes, I thought that /etc/cryptotab was to be converted to /etc/crypttab while upgrading 10.2 to 10.3, but it wasn't. How do I do it? The entry in /etc/cryptotab is this: /dev/loop0 /dev/disk/by-id/ata-ST3320620A_5QF2M56F-part15 /cripta xfs twofish256 noatime,nodiratime I see a man page for crypttab, which says that the lines should be: <target device> <source device> <key file> <options> But I don't see clearly. It says: · The first column, target device specifies the mapped device name. It must be a plain filename without any directories. A mapped device /dev/mapper/device name will be created by cryptsetup(8) crypting data from and onto the source device. To actually mount that device it needs to be listed in /etc/fstab. Ie, is it an invented name? A non existing name in /dev/mapper/? Like /dev/mapper/MyCrypto? Then the line would be: MyCrypto /dev/disk/by-id/ata-ST3320620A_5QF2M56F-part15 .... Now, third field: · The third column key file specifies the file to use for decrypting the encrypted data of the source device. It can also be a device name (e.g. /dev/urandom, which is useful for encrypted swap devices). Warning: luks does not support infinite streams (like /dev/urandom), it requires a fixed size key. Are they talking of the mount point? A file containing the passphrase? I believe the second. · The fourth field options specifies the cryptsetup options associated with the encryption process. At minimum, the field should contain the string luks or the cipher, hash and size options. Options have to be specified in the format: key=value[,key=value ...] Cipher, hash, size.... I have no idea how to relate this to the original remaining options: ... xfs twofish256 noatime,nodiratime Is this suppossed to be this way? I don't see how... - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHTi9/tTMYHG2NR9URAtJ8AJ9+7Cm5VwCEh/PTE93iKzTJh+a1+ACfdB6q yEAJUTkmAeAg4EBsAEDXDRA= =YGOD -----END PGP SIGNATURE-----
Carlos E. R. wrote:
According to the release notes, I thought that /etc/cryptotab was to be converted to /etc/crypttab while upgrading 10.2 to 10.3, but it wasn't.
No, it won't be converted. boot.crypto just transparently uses dm-crypt for both files now. So you actually don't have to do anything.
But I don't see clearly. It says:
· The first column, target device specifies the mapped device name. It must be a plain filename without any directories. A mapped device /dev/mapper/device name will be created by cryptsetup(8) crypting data from and onto the source device. To actually mount that device it needs to be listed in /etc/fstab.
Ie, is it an invented name? A non existing name in /dev/mapper/? Like /dev/mapper/MyCrypto?
Yes.
Now, third field:
· The third column key file specifies the file to use for decrypting the encrypted data of the source device. It can also be a device name (e.g. /dev/urandom, which is useful for encrypted swap devices). Warning: luks does not support infinite streams (like /dev/urandom), it requires a fixed size key.
Are they talking of the mount point? A file containing the passphrase? I believe the second.
A file containing the binary key itself. If you type the passphrase interactively just specify 'none'. I guess I should rephrase the description.
· The fourth field options specifies the cryptsetup options associated with the encryption process. At minimum, the field should contain the string luks or the cipher, hash and size options. Options have to be specified in the format: key=value[,key=value ...]
Cipher, hash, size.... I have no idea how to relate this to the original remaining options:
See the examples at the end of the man page. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2007-11-29 at 09:04 +0100, Ludwig Nussel wrote:
Carlos E. R. wrote:
According to the release notes, I thought that /etc/cryptotab was to be converted to /etc/crypttab while upgrading 10.2 to 10.3, but it wasn't.
No, it won't be converted. boot.crypto just transparently uses dm-crypt for both files now. So you actually don't have to do anything.
Ah, good.
· The fourth field options specifies the cryptsetup options associated with the encryption process. At minimum, the field should contain the string luks or the cipher, hash and size options. Options have to be specified in the format: key=value[,key=value ...]
Cipher, hash, size.... I have no idea how to relate this to the original remaining options:
See the examples at the end of the man page.
I must be thick in my head O:-) Don't worry, if I can keep using /etc/cryptotab I will do so, easier for the moment. My problem now is how to manually mount an encripted partition using the new style devmap thing - I tried looking at /etc/init.d/boot.crypto, but I got lost. I have to look again when I'm not so tired. Is there a wiki page, howto, doc you know about? P.S: I'll report the bug on the other mail when I finish some things I have to do in my "real life". - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHTqs5tTMYHG2NR9URApAIAJ4+5yCwAaxRVbsjvOlCY3zzpNV9vgCfQ1rS 8/Rm8knC6CppRNFLda0MtPI= =DWIE -----END PGP SIGNATURE-----
Hi Carlos, On Thu, Nov 29, 2007 at 01:06:15PM +0100, Carlos E. R. wrote:
My problem now is how to manually mount an encripted partition using the new style devmap thing - I tried looking at /etc/init.d/boot.crypto, but I got lost. I have to look again when I'm not so tired.
The fields in /etc/crypttab can basically be used as options for cryptsetup. I don't know the Suse 10.3 but it probably contains a luks enabled version. There is a big difference between encrypted devices with or without LUKS. With LUKS all relevant encryption options are stored in the partition header. You only need to specify "luks" in /etc/crypttab. Example with encrypted ext3 partition on LVM: ##### # <target name> <source device> <key file> <options> vg1-root_crypt /dev/mapper/vg1-root none luks ##### If you don't want to use a passphrase but a file on disk as the encryption key, just insert the filename as third field. To mount a LUKS device, execute: cryptsetup luksOpen /dev/mapper/vg1-root vg1-root_crypt (or with keyfile: cryptsetup --key-file <file> luksOpen /dev/mapper/vg1-root vg1-root_crypt) mount /dev/mapper/vg1-root_crypt /whereveryouwant -t ext3 Partitions that don't use LUKS require the cryptsetup options in the fourth field, for example: ##### # <target name> <source device> <key file> <options> sda11_crypt /dev/sda11 none cipher=aes-cbc-essiv:sha256,size=256,hash=sha256 ##### To mount a non-LUKS device, use the "create" command. Take care that the options are written differently in /etc/crypttab and for cryptsetup (compare their manpages). for the example above, the command would be: cryptsetup --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha256 create sda11_crypt /dev/sda11 mount /dev/mapper/sda11_crypt /whereveryouwant Also note the different order of device arguments between both types.
Is there a wiki page, howto, doc you know about?
cryptsetup manpage http://www.saout.de/tikiwiki/tiki-index.php http://www.saout.de/tikiwiki/tiki-index.php?page=LUKS http://luks.endorphin.org HTH, Michel -- Der tägliche Wahnsinn - http://www.virtualfreedom.de/dtw/ "Rasse" war der Irrglaube des 20. Jahrhunderts, "Sicherheit" ist der des 21.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2007-11-29 at 20:56 +0100, Michel Messerschmidt wrote:
The fields in /etc/crypttab can basically be used as options for cryptsetup. I don't know the Suse 10.3 but it probably contains a luks enabled version.
I understand so.
There is a big difference between encrypted devices with or without LUKS. With LUKS all relevant encryption options are stored in the partition header. You only need to specify "luks" in /etc/crypttab.
Ah! Of course, that means recreating the partition. But it is interesting. ...
To mount a non-LUKS device, use the "create" command. Take care that the options are written differently in /etc/crypttab and for cryptsetup (compare their manpages). for the example above, the command would be: cryptsetup --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha256 create sda11_crypt /dev/sda11 mount /dev/mapper/sda11_crypt /whereveryouwant
Also note the different order of device arguments between both types.
This is what I need, I think.
Is there a wiki page, howto, doc you know about?
cryptsetup manpage http://www.saout.de/tikiwiki/tiki-index.php http://www.saout.de/tikiwiki/tiki-index.php?page=LUKS http://luks.endorphin.org
Ah! Thanks, I'll have to read them. This reminds me that when I had another encryption related problem with filesystems created for suse 9.2, when using 10.1, Ludwig proposed I try a patch he had, and the script he wrote and that will come useful again. Date: Wed, 14 Feb 2007 11:40:48 +0100 From: Ludwig Nussel <> Subject: Re: [opensuse-security] Weird encrypted filesystem problem. I'll copy here the script 'cryptsetup-twofish' for reference: +++====================================== #!/bin/bash # # set up legacy cryptoloop and loop_fish2 images via cryptsetup # name="$1" dev="$2" ivgen='plain' hashalgo='sha512' klen='256' istwofish='' if [ -z "$name" -o -z "$dev" ]; then echo "Usage: $0 <NAME> <DEVICE>" >&2 exit 1 fi if [ ! -b "$dev" ]; then echo "$dev is not a block device, try" >&2 echo "losetup /dev/loop0 $dev" >&2 exit 1 fi set -e case "$0" in *-twofish256) ;; *-twofishSL92) ivgen=null ;; *-twofish) ivgen=null; klen=192; hashalgo="ripemd160:20" ; ;; *) echo "unknown mode"; exit 1 ;; esac set -- cryptsetup create "$name" "$dev" --cipher twofish-cbc-$ivgen -s $klen -h $hashalgo exec "$@" ======================================++- The script 'cryptsetup-twofish' has two symlinks '@cryptsetup-twofish256' and '@cryptsetup-twofishSL92'. It is '@cryptsetup-twofish256' which I'll use now. The sequence is: nimrodel:~ # file -s /Grande/imgs/roto /Grande/imgs/roto: data (that's a file that contains the encrypted image) nimrodel:~ # losetup /dev/loop4 /Grande/imgs/roto nimrodel:~ # losetup -a /dev/loop0: [000e]:4593 (/dev/disk/by-id/ata-ST3320620A_5QF2M56F-part15) /dev/loop4: [0314]:9142822 (/Grande/imgs/roto) nimrodel:~ # file -s /dev/loop4 /dev/loop4: data nimrodel:~ # cryptsetup-twofish256 roto /dev/loop4 Enter passphrase: nimrodel:~ # file -s /dev/dm-1 /dev/loop4 /dev/mapper/roto /dev/dm-1: SGI XFS filesystem data (blksz 4096, inosz 256, v2 dirs) /dev/loop4: data /dev/mapper/roto: SGI XFS filesystem data (blksz 4096, inosz 256, v2 dirs) nimrodel:~ # mount /dev/mapper/roto /mnt/crypta.mm_dvd1.x/ nimrodel:~ # dmsetup info Name: roto State: ACTIVE Tables present: LIVE Open count: 1 Event number: 0 Major, minor: 253, 1 Number of targets: 1 Name: cryptotab_loop0 State: ACTIVE Tables present: LIVE Open count: 1 Event number: 0 Major, minor: 253, 0 Number of targets: 1 And I get my files in '/mnt/crypta.mm_dvd1.x/' again! So far, so good, I have a method to mount my previously created encrypted filesystems using the new method (cryptsetup). I'd propose that the above script be included somewhere on the distro, or published as an alternative method for manually mounting older encrypted partitions. What I don't understand yet is what are those /dev/dm-1 devices: cer@nimrodel:~> l /dev/dm-1 brw-r----- 1 root disk 253, 1 2007-11-30 01:04 /dev/dm-1 In "/usr/src/linux/Documentation/devices.txt" they are listed as "experimental/local use": 240-254 char LOCAL/EXPERIMENTAL USE 240-254 block LOCAL/EXPERIMENTAL USE Allocated for local/experimental use. For devices not assigned official numbers, these ranges should be used in order to avoid conflicting with future assignments. What are them, then? I recogn I haven't read the sites you mentioned above, yet. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHT2BWtTMYHG2NR9URAtNSAJ96y2+DNhPRTSTC0J/FE9L/gV81MACeMDhj tYz40KHAsmjO0IcEKV9GoOk= =uLVD -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Carlos E. R. wrote:
This reminds me that when I had another encryption related problem with filesystems created for suse 9.2, when using 10.1, Ludwig proposed I try a patch he had, and the script he wrote and that will come useful again. [...] I'd propose that the above script be included somewhere on the distro, or published as an alternative method for manually mounting older encrypted partitions.
The script is no longer needed, boot.crypto is able to handle all disk formats via crypttab/cryptotab now. You can also tell it to manually mount a single partition, e.g. /etc/init.d/boot.crypto start /secret cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2007-11-30 at 09:07 +0100, Ludwig Nussel wrote:
I'd propose that the above script be included somewhere on the distro, or published as an alternative method for manually mounting older encrypted partitions.
The script is no longer needed, boot.crypto is able to handle all disk formats via crypttab/cryptotab now.
But manually? These are partition/filesystems I don't mount at boot.
You can also tell it to manually mount a single partition, e.g. /etc/init.d/boot.crypto start /secret
What? This is wonderful! But this is not documented! nimrodel:~ # /etc/init.d/boot.crypto Usage: /etc/init.d/boot.crypto {start|stop|status|restart} No help text on this :-( What do I do, define a partition or filesystem as "noauto" in /etc/cryptotab? [...] Testing. I create in '/etc/cryptotab' the line: /dev/loop6 /biggy/crypta_f.mm.x /mnt/crypta.mm.x xfs twofish256 noauto,user,noatime,nodiratime nimrodel:~ # /etc/init.d/boot.crypto start /mnt/crypta.mm.x /mnt/crypta.mm.x: xfs doesn't exist skipped Please enter passphrase for /biggy/crypta_f.mm.x: Command failed: Key reading error /biggy/crypta_f.mm.x... failed Maybe it wants the "device" or file, not the mountpoint: nimrodel:~ # /etc/init.d/boot.crypto start /biggy/crypta_f.mm.x /mnt/crypta.mm.x: xfs doesn't exist skipped Please enter passphrase for /biggy/crypta_f.mm.x: Command failed: Key reading error /biggy/crypta_f.mm.x... failed No... it doesn't like the file syntax, and it's the same as the existing working line: /dev/loop0 /dev/disk/by-id/ata-ST3320620A_5QF2M56F-part15 /cripta xfs twofish256 noatime,nodiratime - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHT+W8tTMYHG2NR9URAh+8AJ9nj9WPzorJ5Uz77vuTokopVBQmmgCeNdM+ mq28NIoQvcf0GDei9nM2xL0= =ZA53 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2007-11-30 at 11:28 +0100, Carlos E. R. wrote:
Testing. I create in '/etc/cryptotab' the line:
/dev/loop6 /biggy/crypta_f.mm.x /mnt/crypta.mm.x xfs twofish256 noauto,user,noatime,nodiratime
nimrodel:~ # /etc/init.d/boot.crypto start /mnt/crypta.mm.x /mnt/crypta.mm.x: xfs doesn't exist skipped Please enter passphrase for /biggy/crypta_f.mm.x: Command failed: Key reading error /biggy/crypta_f.mm.x... failed
Sorry, my fault. I had a temporary line left over from copypasting. It works! nimrodel:~ # /etc/init.d/boot.crypto start /mnt/crypta.mm.x Please enter passphrase for /biggy/crypta_f.mm.x: [/sbin/fsck.xfs (1) -- /dev/mapper/cryptotab_loop6] fsck.xfs -a /dev/mapper/cryptotab_loop6 /sbin/fsck.xfs: XFS file system. /biggy/crypta_f.mm.x... done Reading your web page, I have a new doubt: ] Example: new /etc/crypttab and /etc/fstab for twofish256 cryptoloop ] image ] ] crypttab: ] ] secret /secret.img none cipher=twofish-cbc-plain,size=256,hash=sha512,itercountk=100 ] ] fstab: ] ] /dev/mapper/secret /secret ext2 noauto,acl,user_xattr 0 0 Currently I'm using /etc/cryptotab: /dev/loop6 /biggy/crypta_f.mm.x /mnt/crypta.mm.x xfs twofish256 noauto,user,noatime,nodir which seems easier that crypttab, but if the needed options are those you write there, then it is easy enough. However... Do I need the fstab line if I mount it via /etc/init.d/boot.crypto? Because mounting via boot.crypto is obviously simpler than the three line commands you write: ] losetup /dev/loop0 /secret.img ] cryptsetup --hash sha512 --cipher twofish-cbc-plain --key-size 256 create secret_img /dev/loop0 ] mount /dev/mapper/secret_img /secret [...] It appears I'll have to move things to crypttab: entries in cryptotab with noauto ignore it: nimrodel:~ # /etc/init.d/boot.crypto start Activating crypto devices using /etc/cryptotab ... /dev/disk/by-id/ata-ST3320620A_5QF2M56F-part15: cryptotab_loop0 alreadskippedd Please enter passphrase for /biggy/crypta_f.mm.x: [/sbin/fsck.xfs (1) -- /dev/mapper/cryptotab_loop6] fsck.xfs -a /dev/mapper/cryptotab_loop6 /sbin/fsck.xfs: XFS file system. /biggy/crypta_f.mm.x... done The second entry,, which is noaouto, tries to mount. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHT/UdtTMYHG2NR9URAlEuAJwOLUvKKGK0unDRDKifam9epkGzHACeKOVv 87u9941QFibn78xhB00L+R0= =H++J -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2007-11-30 at 12:33 +0100, Carlos E. R. wrote:
Currently I'm using /etc/cryptotab:
/dev/loop6 /biggy/crypta_f.mm.x /mnt/crypta.mm.x xfs twofish256 noauto,user,noatime,nodir
I tried to move to /etc/crypttab reading your instructions on the web page. But it doesn't work. /etc/crypttab: mycrypt_mm_f /biggy/crypta_f.mm.x none cipher=twofish-cbc-plain,size=256,hash=sha512,itercountk=100,noauto,loop /etc/fstab: /dev/mapper/mycrypt_mm_f /mnt/crypta.mm.x xfs noauto,user,noatime,nodiratime 1 4 nimrodel:~ # /etc/init.d/boot.crypto status /dev/disk/by-id/ata-ST3320620A_5QF2M56F-part15 [ loop0 mapped mounted running /biggy/crypta_f.mm.x unused nimrodel:~ # /etc/init.d/boot.crypto start /mnt/crypta.mm.x nimrodel:~ # nimrodel:~ # /etc/init.d/boot.crypto start /biggy/crypta_f.mm.x Please enter passphrase for /biggy/crypta_f.mm.x (mycrypt_mm_f): WARNING: hashlen truncated to 32 An error occurred. The passphrase may be wrong or the file system on /biggy/crypta_f.mm.x might be corrupted. To check the file system, enter Check. Retry entering the passphrase? ([yes]/no/check/) Please enter passphrase for /biggy/crypta_f.mm.x (mycrypt_mm_f): WARNING: hashlen truncated to 32 An error occurred. The passphrase may be wrong or the file system on /biggy/crypta_f.mm.x might be corrupted. To check the file system, enter Check. Retry entering the passphrase? ([yes]/no/check/) no /biggy/crypta_f.mm.x... skipped Conclusion: If I define the entry in /etc/cryptotab, the "noauto" setting is ignored and tries to mount during boot. Manually mounting later does work fine. I can use the mount point as specifier. If I define the entry in /etc/crypttab, the "noauto" setting works, but it can not mount (errors out) Plus, it does not accept the mount point as specifier, requires the file image. 1st: /etc/init.d/boot.crypto start /mnt/crypta.mm.x 2nd: /etc/init.d/boot.crypto start /biggy/crypta_f.mm.x which is harder to remember (it is contrary to mount command usage) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHT/t+tTMYHG2NR9URAgWpAJ0c6y7y4bLGdxdPax+hpzxPWHDbQgCffLv1 VlH2L02JgI7jcpe5u9SXx5o= =rGNi -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Carlos E. R. wrote:
The Friday 2007-11-30 at 12:33 +0100, Carlos E. R. wrote:
Currently I'm using /etc/cryptotab:
/dev/loop6 /biggy/crypta_f.mm.x /mnt/crypta.mm.x xfs twofish256 noauto,user,noatime,nodir
I tried to move to /etc/crypttab reading your instructions on the web page. But it doesn't work.
/etc/crypttab:
mycrypt_mm_f /biggy/crypta_f.mm.x none cipher=twofish-cbc-plain,size=256,hash=sha512,itercountk=100,noauto,loop
The itercountk option is wrong in your case.
If I define the entry in /etc/cryptotab, the "noauto" setting is ignored and tries to mount during boot. Manually mounting later does work fine. I can use the mount point as specifier.
"noauto" never existed for cryptotab.
If I define the entry in /etc/crypttab, the "noauto" setting works, but it can not mount (errors out)
Plus, it does not accept the mount point as specifier, requires the file image.
Yes indeed. The mountpoint is not in crypttab but in fstab, boot.crypto doesn't look into fstab at the point where it checks for the specified device. I guess I could implement that though. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2007-11-30 at 13:28 +0100, Ludwig Nussel wrote:
mycrypt_mm_f /biggy/crypta_f.mm.x none cipher=twofish-cbc-plain,size=256,hash=sha512,itercountk=100,noauto,loop
The itercountk option is wrong in your case.
Ok, now it works via crypttab, too. Good :-)
If I define the entry in /etc/cryptotab, the "noauto" setting is ignored and tries to mount during boot. Manually mounting later does work fine. I can use the mount point as specifier.
"noauto" never existed for cryptotab.
Pity. I thought you had added it.
If I define the entry in /etc/crypttab, the "noauto" setting works, but it can not mount (errors out)
Plus, it does not accept the mount point as specifier, requires the file image.
Yes indeed. The mountpoint is not in crypttab but in fstab, boot.crypto doesn't look into fstab at the point where it checks for the specified device. I guess I could implement that though.
That would be nice! O:-) I think I will use the /etc/cryptotab method meanwhile, because I remember better the mountpoints than the image files, and skip the mounting during boot pressing enter, if I read the notes correctly. I could also use my own script, but then they would not be umounted on halt, and that is dangerous. Ah, no! I could modify my own script to call boot.crypto converting mountpoints to image files for me :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHUBJItTMYHG2NR9URAnMXAJ9mX5wbj93u2ihipBYhbQFTso3fLwCbB1QI xiO+eSEeDOc4PxEyyu7yhak= =7uoO -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Carlos E. R. wrote:
which seems easier that crypttab, but if the needed options are those you write there, then it is easy enough. However... Do I need the fstab line if I mount it via /etc/init.d/boot.crypto? Because mounting via boot.crypto is obviously simpler than the three line commands you write:
If you want boot.crypto to mount entries in crypttab you also need an entry in fstab since crypttab doesn't contain information about mount points or file systems.
] losetup /dev/loop0 /secret.img ] cryptsetup --hash sha512 --cipher twofish-cbc-plain --key-size 256 create secret_img /dev/loop0 ] mount /dev/mapper/secret_img /secret
Those commands are just for explaining what boot.crypto does. If all goes well you don't need to type them manually. You may find them helpful if some step doesn't work and you need to debug things manually though. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2007-11-30 at 13:31 +0100, Ludwig Nussel wrote:
which seems easier that crypttab, but if the needed options are those you write there, then it is easy enough. However... Do I need the fstab line if I mount it via /etc/init.d/boot.crypto? Because mounting via boot.crypto is obviously simpler than the three line commands you write:
If you want boot.crypto to mount entries in crypttab you also need an entry in fstab since crypttab doesn't contain information about mount points or file systems.
Yep, I saw that later.
] losetup /dev/loop0 /secret.img ] cryptsetup --hash sha512 --cipher twofish-cbc-plain --key-size 256 create secret_img /dev/loop0 ] mount /dev/mapper/secret_img /secret
Those commands are just for explaining what boot.crypto does. If all goes well you don't need to type them manually. You may find them helpful if some step doesn't work and you need to debug things manually though.
Right. Now I will have to write my own notes to remember all this, hoping it doesn't change again next year :-p - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHUBLWtTMYHG2NR9URAsc1AJ9PqJKQXrChmrxFQCyi7XuVd+wzDQCfbewN v1VfpL3w33AiCQ7oNLDgoqg= =Stut -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Fri, Nov 30, 2007 at 01:59:00AM +0100, Carlos E. R. wrote:
This reminds me that when I had another encryption related problem with filesystems created for suse 9.2, when using 10.1, Ludwig proposed I try a patch he had, and the script he wrote and that will come useful again.
These (or similar) patches have been integrated into cryptsetup. According to the man page: To read images created with SuSE Linux 9.2’s loop_fish2 use --cipher twofish-cbc-null -s 256 -h sha512, for images created with even older SuSE Linux use --cipher twofish-cbc-null -s 192 -h ripemd160:20 I have no old partition left to try though.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2007-11-30 at 10:20 +0100, Michel Messerschmidt wrote:
On Fri, Nov 30, 2007 at 01:59:00AM +0100, Carlos E. R. wrote:
This reminds me that when I had another encryption related problem with filesystems created for suse 9.2, when using 10.1, Ludwig proposed I try a patch he had, and the script he wrote and that will come useful again.
These (or similar) patches have been integrated into cryptsetup.
According to the man page: To read images created with SuSE Linux 9.2’s loop_fish2 use --cipher twofish-cbc-null -s 256 -h sha512, for images created with even older SuSE Linux use --cipher twofish-cbc-null -s 192 -h ripemd160:20
I have no old partition left to try though.
I didn't meant the patch, but the script. The script facilitates mounting without remembering all those "cryptic" options. Based on that script I created another that mounts some of my filesystems with a single, simple command. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHT+aUtTMYHG2NR9URAhogAKCPfKPlCSts8Gl8j08D/1rfRvDCiwCggUs+ 4oWOyxa9Lbe3RQTywXkJfUM= =AtDz -----END PGP SIGNATURE-----
Carlos E. R. wrote:
My problem now is how to manually mount an encripted partition using the new style devmap thing - I tried looking at /etc/init.d/boot.crypto, but I got lost. I have to look again when I'm not so tired.
Is there a wiki page, howto, doc you know about?
http://www.suse.de/~lnussel/hdencryption/hdencryption.html cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2007-11-30 at 09:04 +0100, Ludwig Nussel wrote:
Carlos E. R. wrote:
My problem now is how to manually mount an encripted partition using the new style devmap thing - I tried looking at /etc/init.d/boot.crypto, but I got lost. I have to look again when I'm not so tired.
Is there a wiki page, howto, doc you know about?
Ah! With samples, too... very good! I have to try this method. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHT+i0tTMYHG2NR9URAvlZAKCSAwlTALAmy6zvKdVqr0mzlKGsggCfXYPc y71AbVS+/Zra2Pg+zW0rDJ8= =IrPi -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (3)
-
Carlos E. R.
-
Ludwig Nussel
-
Michel Messerschmidt