Mailinglist Archive: opensuse-factory (528 mails)
| < Previous | Next > |
Re: [opensuse-factory] cryptsetup, some old, big and fat disks with encryption=twofish256, ...
- From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
- Date: Wed, 2 May 2007 12:11:43 +0200
- Message-id: <200705021211.43153.ludwig.nussel@xxxxxxx>
Jochen Hayek wrote:
> I have a few disks with fstab entries like this one:
>
> noauto,nocheck,acl,user_xattr,loop=/dev/loop0,encryption=twofish256,phash=sha512,itercountk=100
>
> I would like to mount them under 10.3Alpha3 resp. SUSE Factory.
>
> cryptsetup's manual page says
>
> COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS
>
> To read images created with SuSE Linux 9.2's loop_fish2
>
> use --cipher twofish-cbc-null -s 256 -h sha512,
>
> for images created with even older SuSE Linux
>
> use --cipher twofish-cbc-null -s 192 -h ripemd160:20
>
> but if twofish-cbc-null is not listed in /proc/crypto ,
> there is no way getting this working, right?
That's not the problem. The fstab line means you use losetup to set
up an encrypted loop device. When migrating util-linux to
util-linux-ng the loop-AES patch got dropped. The itercountk option
was part of that patch. As quick workaround to be able to access
your data you can install util-linux (or just mount/losetup) from
10.2. The plan is to not reintroduce the loop-AES patch (yast never
offered to use any of it's options right?) and also to get rid of
the loop_fish2 kernel module for 10.3 though.
> Shall I just forget twofish256 and migrate all my encrypted disks?
If that's an option four you it certainly makes sense to use a more
secure on-disk format. 10.3 should still be able to read old images
though. Therefore cryptsetup/dm-crypt do suppport the loop_fish2
format (twofish-cbc-null) in factory already. What's missing atm is
the ability to generate keys compatible with the loop-AES patch.
Please file a bug and assign it to me, I'll consider implementing
replacements for itercountk and pseed options in cryptsetup.
cu
Ludwig
--
(o_ Ludwig Nussel
//\ SUSE Labs
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
> I have a few disks with fstab entries like this one:
>
> noauto,nocheck,acl,user_xattr,loop=/dev/loop0,encryption=twofish256,phash=sha512,itercountk=100
>
> I would like to mount them under 10.3Alpha3 resp. SUSE Factory.
>
> cryptsetup's manual page says
>
> COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS
>
> To read images created with SuSE Linux 9.2's loop_fish2
>
> use --cipher twofish-cbc-null -s 256 -h sha512,
>
> for images created with even older SuSE Linux
>
> use --cipher twofish-cbc-null -s 192 -h ripemd160:20
>
> but if twofish-cbc-null is not listed in /proc/crypto ,
> there is no way getting this working, right?
That's not the problem. The fstab line means you use losetup to set
up an encrypted loop device. When migrating util-linux to
util-linux-ng the loop-AES patch got dropped. The itercountk option
was part of that patch. As quick workaround to be able to access
your data you can install util-linux (or just mount/losetup) from
10.2. The plan is to not reintroduce the loop-AES patch (yast never
offered to use any of it's options right?) and also to get rid of
the loop_fish2 kernel module for 10.3 though.
> Shall I just forget twofish256 and migrate all my encrypted disks?
If that's an option four you it certainly makes sense to use a more
secure on-disk format. 10.3 should still be able to read old images
though. Therefore cryptsetup/dm-crypt do suppport the loop_fish2
format (twofish-cbc-null) in factory already. What's missing atm is
the ability to generate keys compatible with the loop-AES patch.
Please file a bug and assign it to me, I'll consider implementing
replacements for itercountk and pseed options in cryptsetup.
cu
Ludwig
--
(o_ Ludwig Nussel
//\ SUSE Labs
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
| < Previous | Next > |