-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2007-09-24 at 20:14 -0700, Kai Ponte wrote:
Can anyone say what level or form of encryption is used on the encrypted filesystems (ext3) under opensuse 10.2?
The line in fstab for encrypted partitions (created by YaST) includes the phrase
encryption=twofish256
There might be other choices, I'm not sure, but that is what YaST seemed to default to.
Thanks.
That is what the Novell guys thought, too.
However, there are many more posibilities. The man page is hidden under "man losetup": -e encryption Enable data encryption. Following encryption types are recognized: NONE Use no encryption (default). XOR Use a simple XOR encryption. AES128 AES Use 128 bit AES encryption. Password is hashed with SHA-256 by default. AES192 Use 192 bit AES encryption. Password is hashed with SHA-384 by default. AES256 Use 256 bit AES encryption. Password is hashed with SHA-512 by default. twofish128 twofish160 twofish192 twofish256 blowfish128 blowfish160 blowfish192 blowfish256 serpent128 serpent192 serpent256 mars128 mars192 mars256 rc6-128 rc6-192 rc6-256 tripleDES These encryption types are available if they are enabled in kernel configuration or corresponding modules have been loaded to kernel. Then there are more options of obscure effects: -S pseed Sets encryption password seed pseed which is appended to user supplied password before hash- ing. Using different seeds for different parti- tions makes dictionary attacks slower but does not prevent them if user supplied password is guessable. Seed is not used in multi-key mode. Then, there is something named "multi-key mode", which is not explained. The man page assumes you already knows the subject and you only need a refresher - - which is not the case. :-( Cryptoloop-HOWTO.gz This document explains how to create encrypted file systems using the Cryptoloop functionality. Cryptoloop is part of the CryptoAPI in the 2.6 Linux kernel series. ... This HOWTO describes how to use the Cryptoloop loop device encryption in the 2.6 Linux kernel series. Cryptoloop makes it possible to create encrypted file systems within a partition or another file in the file system. These encrypted files can the be moved to a CD, DVD, USB memory stick, etc. Cryptoloop makes use of the loop device. This device is a pseudo-device which serves as a "loop" through which each call to a the file system has to pass. This way, data can be processed in order to encrypt and decrypt it. Since kernel 2.6, the Crypto API has been integrated into the main kernel, and setting up an encrypted file system has become much easier. No additional kernel patches are required. An update of some userspace utilities is necessary. Unfortunately, the use of Cryptoloop is not very well-documented so far. This HOWTO is an attempt to make it easy everyone to create an encrypted file system using the standard Cryptoloop functionality. Cryptoloop is based on the Crypto API in the 2.6 Linux kernel. It should not be confused with Loop-AES, which is a completely separate project. Cryptoloop is similar to the Crypto API that was available as a separate patch for the 2.4 kernel series. The new version is not compatible with the older one. Note from the 10.3 release notes: It is still possible to use cryptoloop via losetup and mount. Since we dropped the crude loop-AES patch from the util-linux package, some parameters for losetup (such as itercountk and pseed) no longer exist. If any of these settings are used in /etc/fstab the device is cannot be mounted directly any more. Migrate these settings to /etc/crypttab where boot.crypto contains the necessary compatability code. Disk-Encryption-HOWTO.gz A method is described for encrypting a hard disk, either in whole or in part, with the encryption key stored on an external medium for increased security. (written for kernel 2.4) Encrypted-Root-Filesystem-HOWTO.gz This document explains how to make your personal data secure by encrypting your Linux root filesystem using strong cryptography. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFG+P5ntTMYHG2NR9URAri6AJ4nqwAV29Xhl7ACH6WzKDqTgB1WawCgihvt VRe9q1vpffrl2SMMsJB1OYY= =JNJy -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org