[opensuse-factory] cryptsetup, some old, big and fat disks with encryption=twofish256, ...
I have a few disks with fstab entries like this one: noauto,nocheck,acl,user_xattr,loop=/dev/loop0,encryption=twofish256,phash=sha512,itercountk=100 I would like to mount them under 10.3Alpha3 resp. SUSE Factory. cryptsetup's manual page says COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS To read images created with SuSE Linux 9.2's loop_fish2 use --cipher twofish-cbc-null -s 256 -h sha512, for images created with even older SuSE Linux use --cipher twofish-cbc-null -s 192 -h ripemd160:20 but if twofish-cbc-null is not listed in /proc/crypto , there is no way getting this working, right? And even after $ modprobe loop_fish2 Something like this didn't work any more $ losetup -e twofish256 -H sha512 -C 100 /dev/loop1 /dev/sdb1 but it does on 10.1 . Shall I just forget twofish256 and migrate all my encrypted disks? Cheers, Jochen P.S. Actually I really like the LUKS extensions to cryptsetup. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Jochen Hayek wrote:
I have a few disks with fstab entries like this one:
noauto,nocheck,acl,user_xattr,loop=/dev/loop0,encryption=twofish256,phash=sha512,itercountk=100
I would like to mount them under 10.3Alpha3 resp. SUSE Factory.
cryptsetup's manual page says
COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS
To read images created with SuSE Linux 9.2's loop_fish2
use --cipher twofish-cbc-null -s 256 -h sha512,
for images created with even older SuSE Linux
use --cipher twofish-cbc-null -s 192 -h ripemd160:20
but if twofish-cbc-null is not listed in /proc/crypto , there is no way getting this working, right?
That's not the problem. The fstab line means you use losetup to set up an encrypted loop device. When migrating util-linux to util-linux-ng the loop-AES patch got dropped. The itercountk option was part of that patch. As quick workaround to be able to access your data you can install util-linux (or just mount/losetup) from 10.2. The plan is to not reintroduce the loop-AES patch (yast never offered to use any of it's options right?) and also to get rid of the loop_fish2 kernel module for 10.3 though.
Shall I just forget twofish256 and migrate all my encrypted disks?
If that's an option four you it certainly makes sense to use a more secure on-disk format. 10.3 should still be able to read old images though. Therefore cryptsetup/dm-crypt do suppport the loop_fish2 format (twofish-cbc-null) in factory already. What's missing atm is the ability to generate keys compatible with the loop-AES patch. Please file a bug and assign it to me, I'll consider implementing replacements for itercountk and pseed options in cryptsetup. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE Labs V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Ludwig Nussel writes:
Jochen Hayek wrote:
>> I have a few disks with fstab entries like this one: >> >> noauto,nocheck,acl,user_xattr,loop=/dev/loop0,encryption=twofish256,phash=sha512,itercountk=100 >> >> I would like to mount them under 10.3Alpha3 resp. SUSE Factory. >> >> cryptsetup's manual page says >> >> COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS >> >> To read images created with SuSE Linux 9.2's loop_fish2 >> >> use --cipher twofish-cbc-null -s 256 -h sha512, >> >> for images created with even older SuSE Linux >> >> use --cipher twofish-cbc-null -s 192 -h ripemd160:20 >> >> but if twofish-cbc-null is not listed in /proc/crypto , >> there is no way getting this working, right? LN> That's not the problem. LN> The fstab line means you use losetup to set up an encrypted loop device. Understood. In all modesty: I think, I knew that before. But that's not important. LN> When migrating util-linux to util-linux-ng the loop-AES patch got dropped. Did anybody at SUSE consider the consequences of that for enterprise users? But maybe I was the only one making use of that. LN> The itercountk option was part of that patch. LN> As quick workaround to be able to access your data LN> you can install util-linux (or just mount/losetup) from 10.2. LN> The plan is to not reintroduce the loop-AES patch LN> (yast never offered to use any of it's options right?) You are most probably right in that yast did not explicitly offer those options, but it *did* generate fstab (resp. crypttab ?!?) entries making use of that. That's how I got to such encryption schemes. That was a couple of years ago ... I did not suspect then, that wasn't a good idea. If I had had the vague idea then, that I depended on a pretty "off-road" patch resp. encryption scheme, that SUSE would drop one day around 2007 ... Excuse me, but is LUKS also such a quite "off-road" patch, that I should better not make myself dependent on?!? You (SUSE!) are really shaking my confidence. No offense taken, pls!! LN> and also to get rid of the loop_fish2 kernel module for 10.3 though. >> Shall I just forget twofish256 and migrate all my encrypted disks? LN> If that's an option four you LN> it certainly makes sense to use a more secure on-disk format. LN> 10.3 should still be able to read old images though. LN> Therefore cryptsetup/dm-crypt do suppport the loop_fish2 format (twofish-cbc-null) in factory already. LN> What's missing atm is the ability to generate keys compatible with the loop-AES patch. You mean, the ability to cope with such encryption schemes, is that identical to generating such keys?!? LN> Please file a bug and assign it to me, I am not sure, we will really end there, but ... maybe. (I personally, I am already migrating my encrypted disks ...) Under http://en.opensuse.org/Submitting_Bug_Reports I can find a list of "How to ..." -- which one applies? LN> I'll consider implementing replacements for itercountk and pseed options in cryptsetup. LN> cu LN> Ludwig J. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Jochen Hayek wrote:
Ludwig Nussel writes: LN> When migrating util-linux to util-linux-ng the loop-AES patch got dropped.
Did anybody at SUSE consider the consequences of that for enterprise users?
But maybe I was the only one making use of that.
LN> The itercountk option was part of that patch.
LN> As quick workaround to be able to access your data LN> you can install util-linux (or just mount/losetup) from 10.2.
LN> The plan is to not reintroduce the loop-AES patch LN> (yast never offered to use any of it's options right?)
You are most probably right in that yast did not explicitly offer those options, but it *did* generate fstab (resp. crypttab ?!?) entries making use of that. That's how I got to such encryption schemes. That was a couple of years ago ...
You are right. I just checked 9.2, yast indeed does use itercountk=100 if one chooses to not mount the image on boot. Ie different parameters depending on whether /etc/fstab or /etc/cryptotab is used. That means we need to support an upgrade path without hacks. Thanks for pointing that out!
I did not suspect then, that wasn't a good idea.
If I had had the vague idea then, that I depended on a pretty "off-road" patch resp. encryption scheme, that SUSE would drop one day around 2007 ...
I don't intend to drop support for encryption schemes yast once offered.
Excuse me, but is LUKS also such a quite "off-road" patch, that I should better not make myself dependent on?!?
Noone knows. It's supported on most distros with unmodified tools so chances are good that you won't end up with unreadable images :-)
LN> and also to get rid of the loop_fish2 kernel module for 10.3 though.
>> Shall I just forget twofish256 and migrate all my encrypted disks?
LN> If that's an option four you LN> it certainly makes sense to use a more secure on-disk format. LN> 10.3 should still be able to read old images though. LN> Therefore cryptsetup/dm-crypt do suppport the loop_fish2 format (twofish-cbc-null) in factory already. LN> What's missing atm is the ability to generate keys compatible with the loop-AES patch.
You mean, the ability to cope with such encryption schemes, is that identical to generating such keys?!?
The itercountk parameter does not affect the format of the data on the disk (twofish-cbc-null). It just specifies a different method (sha512+aes instead of just sha512) to compute the binary key used for encryption.
LN> Please file a bug and assign it to me,
I am not sure, we will really end there, but ... maybe. (I personally, I am already migrating my encrypted disks ...)
Looks like you are a brave man since you already tried to use your crypted images on factory :-) So I'd be glad if you could keep you old images around and verify that the new method to access them actually works.
Under http://en.opensuse.org/Submitting_Bug_Reports I can find a list of "How to ..." -- which one applies?
I've filed Bug #270833 myself. You may add yourself to CC if you are iterested. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE Labs V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (2)
-
Jochen Hayek -
Ludwig Nussel