Re: [opensuse-security] How does one convert from /etc/cryptotab to /etc/crypttab

30 Nov 2007

      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Thursday 2007-11-29 at 20:56 +0100, Michel Messerschmidt wrote:
...
The fields in /etc/crypttab can basically be used as options for
cryptsetup. I don't know the Suse 10.3 but it probably contains a
luks enabled version.
I understand so.
...
There is a big difference between encrypted devices with or without
LUKS. With LUKS all relevant encryption options are stored in the
partition header. You only need to specify "luks" in /etc/crypttab.
Ah!  Of course, that means recreating the partition. But it is 
interesting.

...
...
To mount a non-LUKS device, use the "create" command.
Take care that the options are written differently in /etc/crypttab and
for cryptsetup (compare their manpages).
for the example above, the command would be:
cryptsetup --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha256 create sda11_crypt /dev/sda11
mount /dev/mapper/sda11_crypt /whereveryouwant
Also note the different order of device arguments between both types.
This is what I need, I think.
...
...
Is there a wiki page, howto, doc you know about?
cryptsetup manpage
http://www.saout.de/tikiwiki/tiki-index.php
http://www.saout.de/tikiwiki/tiki-index.php?page=LUKS
http://luks.endorphin.org
Ah! Thanks, I'll have to read them.

This reminds me that when I had another encryption related problem with 
filesystems created for suse 9.2, when using 10.1, Ludwig proposed I try a 
patch he had, and the script he wrote and that will come useful again.

   Date: Wed, 14 Feb 2007 11:40:48 +0100
   From: Ludwig Nussel <>
   Subject: Re: [opensuse-security] Weird encrypted filesystem problem.

I'll copy here the script 'cryptsetup-twofish' for reference:

+++======================================
#!/bin/bash
#
# set up legacy cryptoloop and loop_fish2 images via cryptsetup
#
name="$1"
dev="$2"

ivgen='plain'
hashalgo='sha512'
klen='256'
istwofish=''

if [ -z "$name" -o -z "$dev" ]; then
         echo "Usage: $0 <NAME> <DEVICE>" >&2
         exit 1
fi

if [ ! -b "$dev" ]; then
         echo "$dev is not a block device, try" >&2
         echo "losetup /dev/loop0 $dev" >&2
         exit 1
fi

set -e

case "$0" in
         *-twofish256) ;;
         *-twofishSL92) ivgen=null ;;
         *-twofish)
                 ivgen=null;
                 klen=192;
                 hashalgo="ripemd160:20" ;
                 ;;
         *) echo "unknown mode"; exit 1 ;;
esac
set -- cryptsetup create "$name" "$dev" --cipher twofish-cbc-$ivgen -s $klen -h $hashalgo
exec "$@"
======================================++-

The script 'cryptsetup-twofish' has two symlinks '@cryptsetup-twofish256' 
and '@cryptsetup-twofishSL92'. It is '@cryptsetup-twofish256' which I'll 
use now. The sequence is:

   nimrodel:~ # file -s /Grande/imgs/roto
   /Grande/imgs/roto: data

(that's a file that contains the encrypted image)

   nimrodel:~ # losetup /dev/loop4 /Grande/imgs/roto
   nimrodel:~ # losetup -a
   /dev/loop0: [000e]:4593 (/dev/disk/by-id/ata-ST3320620A_5QF2M56F-part15)
   /dev/loop4: [0314]:9142822 (/Grande/imgs/roto)

   nimrodel:~ # file -s /dev/loop4
   /dev/loop4: data

   nimrodel:~ # cryptsetup-twofish256  roto /dev/loop4
   Enter passphrase:

   nimrodel:~ # file -s /dev/dm-1 /dev/loop4 /dev/mapper/roto
   /dev/dm-1:        SGI XFS filesystem data (blksz 4096, inosz 256, v2 dirs)
   /dev/loop4:       data
   /dev/mapper/roto: SGI XFS filesystem data (blksz 4096, inosz 256, v2 dirs)
   nimrodel:~ # mount /dev/mapper/roto /mnt/crypta.mm_dvd1.x/

   nimrodel:~ # dmsetup info
   Name:              roto
   State:             ACTIVE
   Tables present:    LIVE
   Open count:        1
   Event number:      0
   Major, minor:      253, 1
   Number of targets: 1

   Name:              cryptotab_loop0
   State:             ACTIVE
   Tables present:    LIVE
   Open count:        1
   Event number:      0
   Major, minor:      253, 0
   Number of targets: 1

And I get my files in '/mnt/crypta.mm_dvd1.x/' again! So far, so good, I 
have a method to mount my previously created encrypted filesystems using 
the new method (cryptsetup).

I'd propose that the above script be included somewhere on the distro, or 
published as an alternative method for manually mounting older encrypted 
partitions.

What I don't understand yet is what are those /dev/dm-1 devices:

   cer@nimrodel:~> l /dev/dm-1
   brw-r----- 1 root disk 253, 1 2007-11-30 01:04 /dev/dm-1

In "/usr/src/linux/Documentation/devices.txt" they are listed as 
"experimental/local use":

240-254 char    LOCAL/EXPERIMENTAL USE

240-254 block   LOCAL/EXPERIMENTAL USE
                 Allocated for local/experimental use.  For devices not
                 assigned official numbers, these ranges should be
                 used in order to avoid conflicting with future assignments.

What are them, then? I recogn I haven't read the sites you mentioned 
above, yet.

- -- 
Cheers,
        Carlos E. R.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFHT2BWtTMYHG2NR9URAtNSAJ96y2+DNhPRTSTC0J/FE9L/gV81MACeMDhj
tYz40KHAsmjO0IcEKV9GoOk=
=uLVD
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security+help@opensuse.org