-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2007-02-11 at 12:51 +0100, Ludwig Nussel wrote:
Let me explain in another way:
Encrypted filesystems using 'twofish256', created after mounting another filesystem that uses 'twofishSL92', are in fact created using 'twofishSL92' as well, silently.
Thus, the keyword 'twofish256' refers in fact to two different and incompatible encryptions: to the real or new 'twofish256' (reported by losetup as 'CryptoAPI/twofish-cbc'), and to the old 'twofishSL92' (reported by losetup as 'twofish256').
Yes, unfortunately there are two incompatible on-disk formats for a twofish256 encrytion: http://en.opensuse.org/SDB:Crypto_Partition/Files_Changes_in_SUSE_Linux_Prof...
Yes, I remember reading that back in 9.3 time.
The proof of this is that I can happily mount my 'twofish256' filesystems as 'twofishSL92' instead.
Be careful. Writing to a partition that got mounted with the wrong encryption type may result in irreparable file system corruption.
If I try to mount with twofish256 right after booting, they don't mount, they fail. It is only after I mount the only explicit twofishSL92 filesystem that the rest can be mounted.
Now, the first question is: is there another token I can use instead of 'twofish256' that is unique and refers to the real 'twofish256', that is, to 'CryptoAPI/twofish-cbc'?
No. As soon as you load loop_fish2 the twofishSL92 format gets used.
Very unfortunate. The thing is that I have a three encrypted filesystems, plus dozens of dvds, some of them created using yast, and which I thought all of them were using the new system. But, as the old partition (twofishSL92) was mounted at creation time, all of them are in fact using twofishSL92 although I specified twofish256. I can't posibly read and reburn all those dvds! The problem is that Yast, or the kernel, or whatever, has created those filesystems using loop_fish2 without warning that it was using the old method. nimrodel:~ # losetup -a /dev/loop0: [000d]:2484 (/dev/disk/by-id/ata-ST3320620A_5QF2M56F-part15) encryption=CryptoAPI/twofish-cbc /dev/loop1: [0314]:177 (/Grande/oldcriptadevicefile) encryption=twofish256 /dev/loop2: [1650]:135 (/biggy/crypta.bck_f.x0) encryption=twofish256 /dev/loop3: [0346]:11 (/Disco40/crypta.xfs.f) encryption=twofish256 /dev/loop4: [0703]:131 (/mnt/crypta.x9.dvdbck/zisofs.iso) /dev/loop5: [034c]:215 (/test_b/crypta.bck_f.x) encryption=twofish256 nimrodel:~ # lsmod | grep "fish\|crypt\|loop" loop_fish2 12928 4 twofish 43008 1 cryptoloop 3328 1 loop 15112 14 loop_fish2,cryptoloop Above, loop0 is using twofish and cryptoloop. loop1 is a dd backup of the old filesystem, predating suse 9.3, using loop_fish2 (both 1 and 0 contain the same data yet). The rest were created later, suposedly using the new twofish256, but they are using loop_fish2 instead. I can, I suposse, recreate the filesystems on disk to the new format. But the dvd backups are a different history! - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFz3s2tTMYHG2NR9URAhb/AJwKy+mHfe8+Yq99+eX2fYFV+DVtiwCdE/NT Xl2uK2BtJGRjxi7GtB+LNbc= =YgNb -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org