Jochen Hayek wrote:
Ludwig Nussel writes: LN> When migrating util-linux to util-linux-ng the loop-AES patch got dropped.
Did anybody at SUSE consider the consequences of that for enterprise users?
But maybe I was the only one making use of that.
LN> The itercountk option was part of that patch.
LN> As quick workaround to be able to access your data LN> you can install util-linux (or just mount/losetup) from 10.2.
LN> The plan is to not reintroduce the loop-AES patch LN> (yast never offered to use any of it's options right?)
You are most probably right in that yast did not explicitly offer those options, but it *did* generate fstab (resp. crypttab ?!?) entries making use of that. That's how I got to such encryption schemes. That was a couple of years ago ...
You are right. I just checked 9.2, yast indeed does use itercountk=100 if one chooses to not mount the image on boot. Ie different parameters depending on whether /etc/fstab or /etc/cryptotab is used. That means we need to support an upgrade path without hacks. Thanks for pointing that out!
I did not suspect then, that wasn't a good idea.
If I had had the vague idea then, that I depended on a pretty "off-road" patch resp. encryption scheme, that SUSE would drop one day around 2007 ...
I don't intend to drop support for encryption schemes yast once offered.
Excuse me, but is LUKS also such a quite "off-road" patch, that I should better not make myself dependent on?!?
Noone knows. It's supported on most distros with unmodified tools so chances are good that you won't end up with unreadable images :-)
LN> and also to get rid of the loop_fish2 kernel module for 10.3 though.
>> Shall I just forget twofish256 and migrate all my encrypted disks?
LN> If that's an option four you LN> it certainly makes sense to use a more secure on-disk format. LN> 10.3 should still be able to read old images though. LN> Therefore cryptsetup/dm-crypt do suppport the loop_fish2 format (twofish-cbc-null) in factory already. LN> What's missing atm is the ability to generate keys compatible with the loop-AES patch.
You mean, the ability to cope with such encryption schemes, is that identical to generating such keys?!?
The itercountk parameter does not affect the format of the data on the disk (twofish-cbc-null). It just specifies a different method (sha512+aes instead of just sha512) to compute the binary key used for encryption.
LN> Please file a bug and assign it to me,
I am not sure, we will really end there, but ... maybe. (I personally, I am already migrating my encrypted disks ...)
Looks like you are a brave man since you already tried to use your crypted images on factory :-) So I'd be glad if you could keep you old images around and verify that the new method to access them actually works.
Under http://en.opensuse.org/Submitting_Bug_Reports I can find a list of "How to ..." -- which one applies?
I've filed Bug #270833 myself. You may add yourself to CC if you are iterested. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE Labs V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org