Jochen Hayek wrote:
>>>> Ludwig Nussel writes:
LN> When migrating util-linux to
util-linux-ng the loop-AES patch got dropped.
Did anybody at SUSE consider the consequences of that for enterprise users?
But maybe I was the only one making use of that.
LN> The itercountk option was part of that patch.
LN> As quick workaround to be able to access your data
LN> you can install util-linux (or just mount/losetup) from 10.2.
LN> The plan is to not reintroduce the loop-AES patch
LN> (yast never offered to use any of it's options right?)
You are most probably right in that yast did not explicitly offer those options,
but it *did* generate fstab (resp. crypttab ?!?) entries making use of that.
That's how I got to such encryption schemes.
That was a couple of years ago ...
You are right. I just checked 9.2, yast indeed does use
itercountk=100 if one chooses to not mount the image on boot. Ie
different parameters depending on whether /etc/fstab or
/etc/cryptotab is used. That means we need to support an upgrade
path without hacks. Thanks for pointing that out!
I did not suspect then, that wasn't a good idea.
If I had had the vague idea then,
that I depended on a pretty "off-road" patch resp. encryption scheme,
that SUSE would drop one day around 2007 ...
I don't intend to drop support for encryption schemes yast once
Excuse me, but is LUKS also such a quite
that I should better not make myself dependent on?!?
Noone knows. It's supported on most distros with unmodified tools so chances
are good that you won't end up with unreadable images :-)
LN> and also to get rid of the loop_fish2
kernel module for 10.3 though.
> Shall I just forget twofish256 and migrate
all my encrypted disks?
LN> If that's an option four you
LN> it certainly makes sense to use a more secure on-disk format.
LN> 10.3 should still be able to read old images though.
LN> Therefore cryptsetup/dm-crypt do suppport the loop_fish2 format
(twofish-cbc-null) in factory already.
LN> What's missing atm is the ability to generate keys compatible with the
You mean, the ability to cope with such encryption schemes,
is that identical to generating such keys?!?
The itercountk parameter does not affect the format of the data on
the disk (twofish-cbc-null). It just specifies a different method
(sha512+aes instead of just sha512) to compute the binary key used
LN> Please file a bug and assign it to me,
I am not sure, we will really end there, but ... maybe.
(I personally, I am already migrating my encrypted disks ...)
Looks like you are a brave man since you already tried to use your
crypted images on factory :-) So I'd be glad if you could keep you
old images around and verify that the new method to access them
I can find a list of "How to ..." -- which one applies?
I've filed Bug #270833 myself. You may add yourself to CC if you are
(o_ Ludwig Nussel
//\ SUSE Labs
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-factory+help(a)opensuse.org