Ludwig Nussel writes:
Jochen Hayek wrote:
>> I have a few disks with fstab entries like this one: >> >> noauto,nocheck,acl,user_xattr,loop=/dev/loop0,encryption=twofish256,phash=sha512,itercountk=100 >> >> I would like to mount them under 10.3Alpha3 resp. SUSE Factory. >> >> cryptsetup's manual page says >> >> COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS >> >> To read images created with SuSE Linux 9.2's loop_fish2 >> >> use --cipher twofish-cbc-null -s 256 -h sha512, >> >> for images created with even older SuSE Linux >> >> use --cipher twofish-cbc-null -s 192 -h ripemd160:20 >> >> but if twofish-cbc-null is not listed in /proc/crypto , >> there is no way getting this working, right? LN> That's not the problem. LN> The fstab line means you use losetup to set up an encrypted loop device. Understood. In all modesty: I think, I knew that before. But that's not important. LN> When migrating util-linux to util-linux-ng the loop-AES patch got dropped. Did anybody at SUSE consider the consequences of that for enterprise users? But maybe I was the only one making use of that. LN> The itercountk option was part of that patch. LN> As quick workaround to be able to access your data LN> you can install util-linux (or just mount/losetup) from 10.2. LN> The plan is to not reintroduce the loop-AES patch LN> (yast never offered to use any of it's options right?) You are most probably right in that yast did not explicitly offer those options, but it *did* generate fstab (resp. crypttab ?!?) entries making use of that. That's how I got to such encryption schemes. That was a couple of years ago ... I did not suspect then, that wasn't a good idea. If I had had the vague idea then, that I depended on a pretty "off-road" patch resp. encryption scheme, that SUSE would drop one day around 2007 ... Excuse me, but is LUKS also such a quite "off-road" patch, that I should better not make myself dependent on?!? You (SUSE!) are really shaking my confidence. No offense taken, pls!! LN> and also to get rid of the loop_fish2 kernel module for 10.3 though. >> Shall I just forget twofish256 and migrate all my encrypted disks? LN> If that's an option four you LN> it certainly makes sense to use a more secure on-disk format. LN> 10.3 should still be able to read old images though. LN> Therefore cryptsetup/dm-crypt do suppport the loop_fish2 format (twofish-cbc-null) in factory already. LN> What's missing atm is the ability to generate keys compatible with the loop-AES patch. You mean, the ability to cope with such encryption schemes, is that identical to generating such keys?!? LN> Please file a bug and assign it to me, I am not sure, we will really end there, but ... maybe. (I personally, I am already migrating my encrypted disks ...) Under http://en.opensuse.org/Submitting_Bug_Reports I can find a list of "How to ..." -- which one applies? LN> I'll consider implementing replacements for itercountk and pseed options in cryptsetup. LN> cu LN> Ludwig J. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org