>>>>> Ludwig Nussel writes:
> Jochen Hayek wrote:
>> I have a few disks with fstab entries like this one:
>>
>>
noauto,nocheck,acl,user_xattr,loop=/dev/loop0,encryption=twofish256,phash=sha512,itercountk=100
>>
>> I would like to mount them under 10.3Alpha3 resp. SUSE Factory.
>>
>> cryptsetup's manual page says
>>
>> COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS
>>
>> To read images created with SuSE Linux 9.2's loop_fish2
>>
>> use --cipher twofish-cbc-null -s 256 -h sha512,
>>
>> for images created with even older SuSE Linux
>>
>> use --cipher twofish-cbc-null -s 192 -h ripemd160:20
>>
>> but if twofish-cbc-null is not listed in /proc/crypto ,
>> there is no way getting this working, right?
LN> That's not the problem.
LN> The fstab line means you use losetup to set up an encrypted loop device.
Understood. In all modesty: I think, I knew that before. But that's not
important.
LN> When migrating util-linux to util-linux-ng the loop-AES patch got
dropped.
Did anybody at SUSE consider the consequences of that for enterprise users?
But maybe I was the only one making use of that.
LN> The itercountk option was part of that patch.
LN> As quick workaround to be able to access your data
LN> you can install util-linux (or just mount/losetup) from 10.2.
LN> The plan is to not reintroduce the loop-AES patch
LN> (yast never offered to use any of it's options right?)
You are most probably right in that yast did not explicitly offer those options,
but it *did* generate fstab (resp. crypttab ?!?) entries making use of that.
That's how I got to such encryption schemes.
That was a couple of years ago ...
I did not suspect then, that wasn't a good idea.
If I had had the vague idea then,
that I depended on a pretty "off-road" patch resp. encryption scheme,
that SUSE would drop one day around 2007 ...
Excuse me, but is LUKS also such a quite "off-road" patch,
that I should better not make myself dependent on?!?
You (SUSE!) are really shaking my confidence.
No offense taken, pls!!
LN> and also to get rid of the loop_fish2 kernel module for 10.3 though.
>> Shall I just forget twofish256 and migrate all my encrypted disks?
LN> If that's an option four you
LN> it certainly makes sense to use a more secure on-disk format.
LN> 10.3 should still be able to read old images though.
LN> Therefore cryptsetup/dm-crypt do suppport the loop_fish2 format
(twofish-cbc-null) in factory already.
LN> What's missing atm is the ability to generate keys compatible with the
loop-AES patch.
You mean, the ability to cope with such encryption schemes,
is that identical to generating such keys?!?
LN> Please file a bug and assign it to me,
I am not sure, we will really end there, but ... maybe.
(I personally, I am already migrating my encrypted disks ...)
Under http://en.opensuse.org/Submitting_Bug_Reports
I can find a list of "How to ..." -- which one applies?
LN> I'll consider implementing replacements for itercountk and pseed
options in cryptsetup.
LN> cu
LN> Ludwig
J.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
