Mailinglist Archive: opensuse-factory (528 mails)
| < Previous | Next > |
Re: [opensuse-factory] cryptsetup, some old, big and fat disks with encryption=twofish256, ...
- From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
- Date: Thu, 3 May 2007 10:49:15 +0200
- Message-id: <200705031049.15230.ludwig.nussel@xxxxxxx>
Jochen Hayek wrote:
> >>>>> Ludwig Nussel writes:
> LN> When migrating util-linux to util-linux-ng the loop-AES patch got dropped.
>
> Did anybody at SUSE consider the consequences of that for enterprise users?
>
> But maybe I was the only one making use of that.
>
> LN> The itercountk option was part of that patch.
>
> LN> As quick workaround to be able to access your data
> LN> you can install util-linux (or just mount/losetup) from 10.2.
>
> LN> The plan is to not reintroduce the loop-AES patch
> LN> (yast never offered to use any of it's options right?)
>
> You are most probably right in that yast did not explicitly offer those options,
> but it *did* generate fstab (resp. crypttab ?!?) entries making use of that.
> That's how I got to such encryption schemes.
> That was a couple of years ago ...
You are right. I just checked 9.2, yast indeed does use
itercountk=100 if one chooses to not mount the image on boot. Ie
different parameters depending on whether /etc/fstab or
/etc/cryptotab is used. That means we need to support an upgrade
path without hacks. Thanks for pointing that out!
> I did not suspect then, that wasn't a good idea.
>
> If I had had the vague idea then,
> that I depended on a pretty "off-road" patch resp. encryption scheme,
> that SUSE would drop one day around 2007 ...
I don't intend to drop support for encryption schemes yast once
offered.
> Excuse me, but is LUKS also such a quite "off-road" patch,
> that I should better not make myself dependent on?!?
Noone knows. It's supported on most distros with unmodified tools so chances
are good that you won't end up with unreadable images :-)
> LN> and also to get rid of the loop_fish2 kernel module for 10.3 though.
>
> >> Shall I just forget twofish256 and migrate all my encrypted disks?
>
> LN> If that's an option four you
> LN> it certainly makes sense to use a more secure on-disk format.
> LN> 10.3 should still be able to read old images though.
> LN> Therefore cryptsetup/dm-crypt do suppport the loop_fish2 format (twofish-cbc-null) in factory already.
> LN> What's missing atm is the ability to generate keys compatible with the loop-AES patch.
>
> You mean, the ability to cope with such encryption schemes,
> is that identical to generating such keys?!?
The itercountk parameter does not affect the format of the data on
the disk (twofish-cbc-null). It just specifies a different method
(sha512+aes instead of just sha512) to compute the binary key used
for encryption.
> LN> Please file a bug and assign it to me,
>
> I am not sure, we will really end there, but ... maybe.
> (I personally, I am already migrating my encrypted disks ...)
Looks like you are a brave man since you already tried to use your
crypted images on factory :-) So I'd be glad if you could keep you
old images around and verify that the new method to access them
actually works.
> Under http://en.opensuse.org/Submitting_Bug_Reports
> I can find a list of "How to ..." -- which one applies?
I've filed Bug #270833 myself. You may add yourself to CC if you are
iterested.
cu
Ludwig
--
(o_ Ludwig Nussel
//\ SUSE Labs
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
> >>>>> Ludwig Nussel writes:
> LN> When migrating util-linux to util-linux-ng the loop-AES patch got dropped.
>
> Did anybody at SUSE consider the consequences of that for enterprise users?
>
> But maybe I was the only one making use of that.
>
> LN> The itercountk option was part of that patch.
>
> LN> As quick workaround to be able to access your data
> LN> you can install util-linux (or just mount/losetup) from 10.2.
>
> LN> The plan is to not reintroduce the loop-AES patch
> LN> (yast never offered to use any of it's options right?)
>
> You are most probably right in that yast did not explicitly offer those options,
> but it *did* generate fstab (resp. crypttab ?!?) entries making use of that.
> That's how I got to such encryption schemes.
> That was a couple of years ago ...
You are right. I just checked 9.2, yast indeed does use
itercountk=100 if one chooses to not mount the image on boot. Ie
different parameters depending on whether /etc/fstab or
/etc/cryptotab is used. That means we need to support an upgrade
path without hacks. Thanks for pointing that out!
> I did not suspect then, that wasn't a good idea.
>
> If I had had the vague idea then,
> that I depended on a pretty "off-road" patch resp. encryption scheme,
> that SUSE would drop one day around 2007 ...
I don't intend to drop support for encryption schemes yast once
offered.
> Excuse me, but is LUKS also such a quite "off-road" patch,
> that I should better not make myself dependent on?!?
Noone knows. It's supported on most distros with unmodified tools so chances
are good that you won't end up with unreadable images :-)
> LN> and also to get rid of the loop_fish2 kernel module for 10.3 though.
>
> >> Shall I just forget twofish256 and migrate all my encrypted disks?
>
> LN> If that's an option four you
> LN> it certainly makes sense to use a more secure on-disk format.
> LN> 10.3 should still be able to read old images though.
> LN> Therefore cryptsetup/dm-crypt do suppport the loop_fish2 format (twofish-cbc-null) in factory already.
> LN> What's missing atm is the ability to generate keys compatible with the loop-AES patch.
>
> You mean, the ability to cope with such encryption schemes,
> is that identical to generating such keys?!?
The itercountk parameter does not affect the format of the data on
the disk (twofish-cbc-null). It just specifies a different method
(sha512+aes instead of just sha512) to compute the binary key used
for encryption.
> LN> Please file a bug and assign it to me,
>
> I am not sure, we will really end there, but ... maybe.
> (I personally, I am already migrating my encrypted disks ...)
Looks like you are a brave man since you already tried to use your
crypted images on factory :-) So I'd be glad if you could keep you
old images around and verify that the new method to access them
actually works.
> Under http://en.opensuse.org/Submitting_Bug_Reports
> I can find a list of "How to ..." -- which one applies?
I've filed Bug #270833 myself. You may add yourself to CC if you are
iterested.
cu
Ludwig
--
(o_ Ludwig Nussel
//\ SUSE Labs
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
| < Previous | Next > |