Mailinglist Archive: opensuse-security (128 mails)
| < Previous | Next > |
Re: [opensuse-security] How does one convert from /etc/cryptotab to /etc/crypttab
- From: Michel Messerschmidt <lists@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 29 Nov 2007 20:56:58 +0100
- Message-id: <20071129195658.GC5811@xxxxxxxxxx>
Hi Carlos,
On Thu, Nov 29, 2007 at 01:06:15PM +0100, Carlos E. R. wrote:
The fields in /etc/crypttab can basically be used as options for
cryptsetup. I don't know the Suse 10.3 but it probably contains a
luks enabled version.
There is a big difference between encrypted devices with or without
LUKS. With LUKS all relevant encryption options are stored in the
partition header. You only need to specify "luks" in /etc/crypttab.
Example with encrypted ext3 partition on LVM:
#####
# <target name> <source device> <key file> <options>
vg1-root_crypt /dev/mapper/vg1-root none luks
#####
If you don't want to use a passphrase but a file on disk as the
encryption key, just insert the filename as third field.
To mount a LUKS device, execute:
cryptsetup luksOpen /dev/mapper/vg1-root vg1-root_crypt
(or with keyfile: cryptsetup --key-file <file> luksOpen /dev/mapper/vg1-root
vg1-root_crypt)
mount /dev/mapper/vg1-root_crypt /whereveryouwant -t ext3
Partitions that don't use LUKS require the cryptsetup options in the
fourth field, for example:
#####
# <target name> <source device> <key file> <options>
sda11_crypt /dev/sda11 none
cipher=aes-cbc-essiv:sha256,size=256,hash=sha256
#####
To mount a non-LUKS device, use the "create" command.
Take care that the options are written differently in /etc/crypttab and
for cryptsetup (compare their manpages).
for the example above, the command would be:
cryptsetup --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha256 create
sda11_crypt /dev/sda11
mount /dev/mapper/sda11_crypt /whereveryouwant
Also note the different order of device arguments between both types.
cryptsetup manpage
http://www.saout.de/tikiwiki/tiki-index.php
http://www.saout.de/tikiwiki/tiki-index.php?page=LUKS
http://luks.endorphin.org
HTH,
Michel
--
Der tägliche Wahnsinn - http://www.virtualfreedom.de/dtw/
"Rasse" war der Irrglaube des 20. Jahrhunderts, "Sicherheit" ist der des 21.
On Thu, Nov 29, 2007 at 01:06:15PM +0100, Carlos E. R. wrote:
My problem now is how to manually mount an encripted partition using the
new style devmap thing - I tried looking at /etc/init.d/boot.crypto, but I
got lost. I have to look again when I'm not so tired.
The fields in /etc/crypttab can basically be used as options for
cryptsetup. I don't know the Suse 10.3 but it probably contains a
luks enabled version.
There is a big difference between encrypted devices with or without
LUKS. With LUKS all relevant encryption options are stored in the
partition header. You only need to specify "luks" in /etc/crypttab.
Example with encrypted ext3 partition on LVM:
#####
# <target name> <source device> <key file> <options>
vg1-root_crypt /dev/mapper/vg1-root none luks
#####
If you don't want to use a passphrase but a file on disk as the
encryption key, just insert the filename as third field.
To mount a LUKS device, execute:
cryptsetup luksOpen /dev/mapper/vg1-root vg1-root_crypt
(or with keyfile: cryptsetup --key-file <file> luksOpen /dev/mapper/vg1-root
vg1-root_crypt)
mount /dev/mapper/vg1-root_crypt /whereveryouwant -t ext3
Partitions that don't use LUKS require the cryptsetup options in the
fourth field, for example:
#####
# <target name> <source device> <key file> <options>
sda11_crypt /dev/sda11 none
cipher=aes-cbc-essiv:sha256,size=256,hash=sha256
#####
To mount a non-LUKS device, use the "create" command.
Take care that the options are written differently in /etc/crypttab and
for cryptsetup (compare their manpages).
for the example above, the command would be:
cryptsetup --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha256 create
sda11_crypt /dev/sda11
mount /dev/mapper/sda11_crypt /whereveryouwant
Also note the different order of device arguments between both types.
Is there a wiki page, howto, doc you know about?
cryptsetup manpage
http://www.saout.de/tikiwiki/tiki-index.php
http://www.saout.de/tikiwiki/tiki-index.php?page=LUKS
http://luks.endorphin.org
HTH,
Michel
--
Der tägliche Wahnsinn - http://www.virtualfreedom.de/dtw/
"Rasse" war der Irrglaube des 20. Jahrhunderts, "Sicherheit" ist der des 21.
| < Previous | Next > |