Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev
On May 7, 2014, at 21:57, J. Roeleveld jo...@antarean.org wrote: The create and remove commands with LUKS also require root. They use a session manager in desktop environments to allow users to do it. Sudo with a secure wrapper script might be sufficient for you? I was wondering. What is the actual reason why cryptsetup has a LUKS and non-LUKS set of options? Well that is of course to let you have the control over how the encryption is done. In the kernel point of view the disk encryption is just bare encryption with the given parameters. These include the cipher (AES etc), the mode (CBC, CTR etc) and Initialization Vector (IV) creation (ESSIV etc) and last but not least the key that is used with the cipher. Now without LUKS cryptsetup just sets these parameters and you have to provide them each time to cryptsetup when you are using your encrypted volume. With LUKS cryptsetup will store all these parameters in a binary format. By default this binary data is stored at the beginning of the disk. Kernel then only uses the remaining disk space for encryption. The binary data at the beginning of the disk is not encrypted because the setup would the be unreadable. When you setup a LUKS partition, cryptsetup creates a random key used for encryption the partition. Using a random key for disk encryption is an absolute MUST! A hash of this key is stored in binary data to do key verification. By default a 128k salt is created for each password you wish to use to access the disk (anti forensics). The disk key is then encrypted with the salt and the password. The salt and the encrypted key is stored in the binary data. If the salt is lost, the disk key is lost and recovery of your data is virtually impossible with only your password. With only the password it is impossible to decrypt the disk. If you have a backup of the disk key, with that key you can decrypt the disk without the password. All the steps done by LUKS are necessary for a proper disk encryption! If you do not use LUKS you need to write your own software to do the necessary steps! Cryptsetup without LUKS uses just a plain hash function without a salt to derive disk key from your password. The entropy in this kind of key creation is not nearly enough for secure disk encryption! Unless you know what you are doing use LUKS. -- -Matti
Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev
On May 7, 2014, at 21:57, J. Roeleveld jo...@antarean.org wrote: I was wondering. What is the actual reason why cryptsetup has a LUKS and non-LUKS set of options? And a short answer to the actual question :) LUKS automates key creation and non-LUKS lets you do it manually. Sorry for the long posts ;) -- -Matti
Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev
On Thursday, May 08, 2014 02:36:29 PM Andrew Savchenko wrote: On Wed, 07 May 2014 20:57:29 +0200 J. Roeleveld wrote: On 7 May 2014 20:11:10 CEST, Walter Dnes waltd...@waltdnes.org wrote: On Wed, May 07, 2014 at 08:11:02AM +0200, J. Roeleveld wrote On Tuesday, May 06, 2014 05:34:52 PM Walter Dnes wrote: Unfortunately, mdev != udev. People running RAID have problems too. I know it isn't. I just find it strange that LVM can't work without udev when I see options which configure the LVM-tools to either double-check udevs actions or even completely bypass udev: Thanks for the pointer. After turning off the udev-related options in lvm.conf, I'm getting /dev/mapper device nodes as expected. That is good. Now if only mdadm can be confirmed to work with mdev. I could try it on one of my machines. And what is the problem with mdadm with mdev? Only that Walter mentioned that people with Raid have issues too. I have such setup: nothing special here and works fine. Just to speed up device lookup: $ grep -v ^# /etc/mdadm.conf DEVICE /dev/sd* And here we go: $ cat /proc/mdstat Personalities : [raid10] md0 : active raid10 sdd[3] sdf[2] 2930265088 blocks super 1.2 256K chunks 2 far-copies [2/2] [UU] Do the devices get created correctly in /dev as well? Many thanks, Joost
Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev
On Wed, 07 May 2014 20:57:29 +0200 J. Roeleveld wrote: On 7 May 2014 20:11:10 CEST, Walter Dnes waltd...@waltdnes.org wrote: On Wed, May 07, 2014 at 08:11:02AM +0200, J. Roeleveld wrote On Tuesday, May 06, 2014 05:34:52 PM Walter Dnes wrote: Unfortunately, mdev != udev. People running RAID have problems too. I know it isn't. I just find it strange that LVM can't work without udev when I see options which configure the LVM-tools to either double-check udevs actions or even completely bypass udev: Thanks for the pointer. After turning off the udev-related options in lvm.conf, I'm getting /dev/mapper device nodes as expected. That is good. Now if only mdadm can be confirmed to work with mdev. I could try it on one of my machines. And what is the problem with mdadm with mdev? I have such setup: nothing special here and works fine. Just to speed up device lookup: $ grep -v ^# /etc/mdadm.conf DEVICE /dev/sd* And here we go: $ cat /proc/mdstat Personalities : [raid10] md0 : active raid10 sdd[3] sdf[2] 2930265088 blocks super 1.2 256K chunks 2 far-copies [2/2] [UU] Best regards, Andrew Savchenko pgpYAu22dxvLA.pgp Description: PGP signature
[gentoo-user] [SOLVED] Running cryptsetup under mdev
On Wed, May 07, 2014 at 08:11:02AM +0200, J. Roeleveld wrote On Tuesday, May 06, 2014 05:34:52 PM Walter Dnes wrote: Unfortunately, mdev != udev. People running RAID have problems too. I know it isn't. I just find it strange that LVM can't work without udev when I see options which configure the LVM-tools to either double-check udevs actions or even completely bypass udev: Thanks for the pointer. After turning off the udev-related options in lvm.conf, I'm getting /dev/mapper device nodes as expected. I still can't get cryptsetup to work with LUKS, but it works fine *WITHOUT* LUKS as per instructions at http://sleepyhead.de/howto/?href=cryptpart#woluks In my case, the initial setup was... cryptsetup -y create usbkey1 /dev/sdb1 mkfs.ext2 /dev/mapper/usbkey1 mount -t ext2 /dev/mapper/usbkey1 /mnt/usbkey1 umount /mnt/usbkey1 cryptsetup remove usbkey1 ...and subsequent sessions... cryptsetup -y create usbkey1 /dev/sdb1 mount -t ext2 /dev/mapper/usbkey1 /mnt/usbkey1 ...do whatever... umount /mnt/usbkey1 cryptsetup remove usbkey1 The setup and teardown commands have to be done as root, but I've chowned /mnt/usbkey1 to waltdnes:users and confirmed that I can create and delete files and directories as a regular user. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev
On 7 May 2014 20:11:10 CEST, Walter Dnes waltd...@waltdnes.org wrote: On Wed, May 07, 2014 at 08:11:02AM +0200, J. Roeleveld wrote On Tuesday, May 06, 2014 05:34:52 PM Walter Dnes wrote: Unfortunately, mdev != udev. People running RAID have problems too. I know it isn't. I just find it strange that LVM can't work without udev when I see options which configure the LVM-tools to either double-check udevs actions or even completely bypass udev: Thanks for the pointer. After turning off the udev-related options in lvm.conf, I'm getting /dev/mapper device nodes as expected. That is good. Now if only mdadm can be confirmed to work with mdev. I could try it on one of my machines. I still can't get cryptsetup to work with LUKS, but it works fine *WITHOUT* LUKS as per instructions at http://sleepyhead.de/howto/?href=cryptpart#woluks In my case, the initial setup was... cryptsetup -y create usbkey1 /dev/sdb1 mkfs.ext2 /dev/mapper/usbkey1 mount -t ext2 /dev/mapper/usbkey1 /mnt/usbkey1 umount /mnt/usbkey1 cryptsetup remove usbkey1 ...and subsequent sessions... cryptsetup -y create usbkey1 /dev/sdb1 mount -t ext2 /dev/mapper/usbkey1 /mnt/usbkey1 ...do whatever... umount /mnt/usbkey1 cryptsetup remove usbkey1 The setup and teardown commands have to be done as root, but I've chowned /mnt/usbkey1 to waltdnes:users and confirmed that I can create and delete files and directories as a regular user. The create and remove commands with LUKS also require root. They use a session manager in desktop environments to allow users to do it. Sudo with a secure wrapper script might be sufficient for you? I was wondering. What is the actual reason why cryptsetup has a LUKS and non-LUKS set of options? -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.