Ludwig Nussel writes:
Jochen Hayek wrote:
I have a few disks with fstab entries like this one:
noauto,nocheck,acl,user_xattr,loop=/dev/loop0,encryption=twofish256,phash=sha512,itercountk=100
I would like to mount them under 10.3Alpha3 resp. SUSE Factory.
cryptsetup's manual page says
COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS
To read images created with SuSE Linux 9.2's loop_fish2
use --cipher twofish-cbc-null -s 256 -h sha512,
for images created with even older SuSE Linux
use --cipher twofish-cbc-null -s 192 -h ripemd160:20
but if twofish-cbc-null is not listed in /proc/crypto ,
there is no way getting this working, right?
LN That's not the problem.
LN The fstab line means you use losetup to set up an encrypted loop device.
Understood. In all modesty: I think, I knew that before. But that's not
important.
LN When migrating util-linux to util-linux-ng the loop-AES patch got
dropped.
Did anybody at SUSE consider the consequences of that for enterprise users?
But maybe I was the only one making use of that.
LN The itercountk option was part of that patch.
LN As quick workaround to be able to access your data
LN you can install util-linux (or just mount/losetup) from 10.2.
LN The plan is to not reintroduce the loop-AES patch
LN (yast never offered to use any of it's options right?)
You are most probably right in that yast did not explicitly offer those options,
but it *did* generate fstab (resp. crypttab ?!?) entries making use of that.
That's how I got to such encryption schemes.
That was a couple of years ago ...
I did not suspect then, that wasn't a good idea.
If I had had the vague idea then,
that I depended on a pretty off-road patch resp. encryption scheme,
that SUSE would drop one day around 2007 ...
Excuse me, but is LUKS also such a quite off-road patch,
that I should better not make myself dependent on?!?
You (SUSE!) are really shaking my confidence.
No offense taken, pls!!
LN and also to get rid of the loop_fish2 kernel module for 10.3 though.
Shall I just forget twofish256 and migrate all my encrypted disks?
LN If that's an option four you
LN it certainly makes sense to use a more secure on-disk format.
LN 10.3 should still be able to read old images though.
LN Therefore cryptsetup/dm-crypt do suppport the loop_fish2 format
(twofish-cbc-null) in factory already.
LN What's missing atm is the ability to generate keys compatible with the
loop-AES patch.
You mean, the ability to cope with such encryption schemes,
is that identical to generating such keys?!?
LN Please file a bug and assign it to me,
I am not sure, we will really end there, but ... maybe.
(I personally, I am already migrating my encrypted disks ...)
Under http://en.opensuse.org/Submitting_Bug_Reports
I can find a list of How to ... -- which one applies?
LN I'll consider implementing replacements for itercountk and pseed
options in cryptsetup.
LN cu
LN Ludwig
J.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
