-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2007-11-29 at 20:56 +0100, Michel Messerschmidt wrote:
The fields in /etc/crypttab can basically be used as options for cryptsetup. I don't know the Suse 10.3 but it probably contains a luks enabled version.
I understand so.
There is a big difference between encrypted devices with or without LUKS. With LUKS all relevant encryption options are stored in the partition header. You only need to specify "luks" in /etc/crypttab.
Ah! Of course, that means recreating the partition. But it is interesting. ...
To mount a non-LUKS device, use the "create" command. Take care that the options are written differently in /etc/crypttab and for cryptsetup (compare their manpages). for the example above, the command would be: cryptsetup --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha256 create sda11_crypt /dev/sda11 mount /dev/mapper/sda11_crypt /whereveryouwant
Also note the different order of device arguments between both types.
This is what I need, I think.
Is there a wiki page, howto, doc you know about?
cryptsetup manpage http://www.saout.de/tikiwiki/tiki-index.php http://www.saout.de/tikiwiki/tiki-index.php?page=LUKS http://luks.endorphin.org
Ah! Thanks, I'll have to read them. This reminds me that when I had another encryption related problem with filesystems created for suse 9.2, when using 10.1, Ludwig proposed I try a patch he had, and the script he wrote and that will come useful again. Date: Wed, 14 Feb 2007 11:40:48 +0100 From: Ludwig Nussel <> Subject: Re: [opensuse-security] Weird encrypted filesystem problem. I'll copy here the script 'cryptsetup-twofish' for reference: +++====================================== #!/bin/bash # # set up legacy cryptoloop and loop_fish2 images via cryptsetup # name="$1" dev="$2" ivgen='plain' hashalgo='sha512' klen='256' istwofish='' if [ -z "$name" -o -z "$dev" ]; then echo "Usage: $0 <NAME> <DEVICE>" >&2 exit 1 fi if [ ! -b "$dev" ]; then echo "$dev is not a block device, try" >&2 echo "losetup /dev/loop0 $dev" >&2 exit 1 fi set -e case "$0" in *-twofish256) ;; *-twofishSL92) ivgen=null ;; *-twofish) ivgen=null; klen=192; hashalgo="ripemd160:20" ; ;; *) echo "unknown mode"; exit 1 ;; esac set -- cryptsetup create "$name" "$dev" --cipher twofish-cbc-$ivgen -s $klen -h $hashalgo exec "$@" ======================================++- The script 'cryptsetup-twofish' has two symlinks '@cryptsetup-twofish256' and '@cryptsetup-twofishSL92'. It is '@cryptsetup-twofish256' which I'll use now. The sequence is: nimrodel:~ # file -s /Grande/imgs/roto /Grande/imgs/roto: data (that's a file that contains the encrypted image) nimrodel:~ # losetup /dev/loop4 /Grande/imgs/roto nimrodel:~ # losetup -a /dev/loop0: [000e]:4593 (/dev/disk/by-id/ata-ST3320620A_5QF2M56F-part15) /dev/loop4: [0314]:9142822 (/Grande/imgs/roto) nimrodel:~ # file -s /dev/loop4 /dev/loop4: data nimrodel:~ # cryptsetup-twofish256 roto /dev/loop4 Enter passphrase: nimrodel:~ # file -s /dev/dm-1 /dev/loop4 /dev/mapper/roto /dev/dm-1: SGI XFS filesystem data (blksz 4096, inosz 256, v2 dirs) /dev/loop4: data /dev/mapper/roto: SGI XFS filesystem data (blksz 4096, inosz 256, v2 dirs) nimrodel:~ # mount /dev/mapper/roto /mnt/crypta.mm_dvd1.x/ nimrodel:~ # dmsetup info Name: roto State: ACTIVE Tables present: LIVE Open count: 1 Event number: 0 Major, minor: 253, 1 Number of targets: 1 Name: cryptotab_loop0 State: ACTIVE Tables present: LIVE Open count: 1 Event number: 0 Major, minor: 253, 0 Number of targets: 1 And I get my files in '/mnt/crypta.mm_dvd1.x/' again! So far, so good, I have a method to mount my previously created encrypted filesystems using the new method (cryptsetup). I'd propose that the above script be included somewhere on the distro, or published as an alternative method for manually mounting older encrypted partitions. What I don't understand yet is what are those /dev/dm-1 devices: cer@nimrodel:~> l /dev/dm-1 brw-r----- 1 root disk 253, 1 2007-11-30 01:04 /dev/dm-1 In "/usr/src/linux/Documentation/devices.txt" they are listed as "experimental/local use": 240-254 char LOCAL/EXPERIMENTAL USE 240-254 block LOCAL/EXPERIMENTAL USE Allocated for local/experimental use. For devices not assigned official numbers, these ranges should be used in order to avoid conflicting with future assignments. What are them, then? I recogn I haven't read the sites you mentioned above, yet. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHT2BWtTMYHG2NR9URAtNSAJ96y2+DNhPRTSTC0J/FE9L/gV81MACeMDhj tYz40KHAsmjO0IcEKV9GoOk= =uLVD -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org