Ludwig Nussel writes:
Jochen Hayek wrote:
>> I have a few disks with fstab entries like this one: >> >> noauto,nocheck,acl,user_xattr,loop=/dev/loop0,encryption=twofish256,phash=sha512,itercountk=100 >> >> I would like to mount them under 10.3Alpha3 resp. SUSE Factory. >> >> cryptsetup's manual page says >> >> COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS >> >> To read images created with SuSE Linux 9.2's loop_fish2 >> >> use --cipher twofish-cbc-null -s 256 -h sha512, >> >> for images created with even older SuSE Linux >> >> use --cipher twofish-cbc-null -s 192 -h ripemd160:20 >> >> but if twofish-cbc-null is not listed in /proc/crypto , >> there is no way getting this working, right?
LN> That's not the problem. LN> The fstab line means you use losetup to set up an encrypted loop device.
Understood. In all modesty: I think, I knew that before. But that's not important.
LN> When migrating util-linux to util-linux-ng the loop-AES patch got dropped.
Did anybody at SUSE consider the consequences of that for enterprise users?
But maybe I was the only one making use of that.
LN> The itercountk option was part of that patch.
LN> As quick workaround to be able to access your data LN> you can install util-linux (or just mount/losetup) from 10.2.
LN> The plan is to not reintroduce the loop-AES patch LN> (yast never offered to use any of it's options right?)
You are most probably right in that yast did not explicitly offer those options, but it *did* generate fstab (resp. crypttab ?!?) entries making use of that. That's how I got to such encryption schemes. That was a couple of years ago ...
I did not suspect then, that wasn't a good idea.
If I had had the vague idea then, that I depended on a pretty "off-road" patch resp. encryption scheme, that SUSE would drop one day around 2007 ...
Excuse me, but is LUKS also such a quite "off-road" patch, that I should better not make myself dependent on?!?
You (SUSE!) are really shaking my confidence.
No offense taken, pls!!
LN> and also to get rid of the loop_fish2 kernel module for 10.3 though.
>> Shall I just forget twofish256 and migrate all my encrypted disks?
LN> If that's an option four you LN> it certainly makes sense to use a more secure on-disk format. LN> 10.3 should still be able to read old images though. LN> Therefore cryptsetup/dm-crypt do suppport the loop_fish2 format (twofish-cbc-null) in factory already. LN> What's missing atm is the ability to generate keys compatible with the loop-AES patch.
You mean, the ability to cope with such encryption schemes, is that identical to generating such keys?!?
LN> Please file a bug and assign it to me,
I am not sure, we will really end there, but ... maybe. (I personally, I am already migrating my encrypted disks ...)
Under http://en.opensuse.org/Submitting_Bug_Reports I can find a list of "How to ..." -- which one applies?
LN> I'll consider implementing replacements for itercountk and pseed options in cryptsetup.
LN> cu LN> Ludwig
J. --------------------------------------------------------------------- To unsubscribe, e-mail: firstname.lastname@example.org For additional commands, e-mail: email@example.com