Jochen Hayek wrote: > >>>>> Ludwig Nussel writes: > LN> When migrating util-linux to util-linux-ng the loop-AES patch got > dropped. > > Did anybody at SUSE consider the consequences of that for enterprise users? > > But maybe I was the only one making use of that. > > LN> The itercountk option was part of that patch. > > LN> As quick workaround to be able to access your data > LN> you can install util-linux (or just mount/losetup) from 10.2. > > LN> The plan is to not reintroduce the loop-AES patch > LN> (yast never offered to use any of it's options right?) > > You are most probably right in that yast did not explicitly offer those > options, > but it *did* generate fstab (resp. crypttab ?!?) entries making use of that. > That's how I got to such encryption schemes. > That was a couple of years ago ...
You are right. I just checked 9.2, yast indeed does use itercountk=100 if one chooses to not mount the image on boot. Ie different parameters depending on whether /etc/fstab or /etc/cryptotab is used. That means we need to support an upgrade path without hacks. Thanks for pointing that out! > I did not suspect then, that wasn't a good idea. > > If I had had the vague idea then, > that I depended on a pretty "off-road" patch resp. encryption scheme, > that SUSE would drop one day around 2007 ... I don't intend to drop support for encryption schemes yast once offered. > Excuse me, but is LUKS also such a quite "off-road" patch, > that I should better not make myself dependent on?!? Noone knows. It's supported on most distros with unmodified tools so chances are good that you won't end up with unreadable images :-) > LN> and also to get rid of the loop_fish2 kernel module for 10.3 though. > > >> Shall I just forget twofish256 and migrate all my encrypted disks? > > LN> If that's an option four you > LN> it certainly makes sense to use a more secure on-disk format. > LN> 10.3 should still be able to read old images though. > LN> Therefore cryptsetup/dm-crypt do suppport the loop_fish2 format > (twofish-cbc-null) in factory already. > LN> What's missing atm is the ability to generate keys compatible with > the loop-AES patch. > > You mean, the ability to cope with such encryption schemes, > is that identical to generating such keys?!? The itercountk parameter does not affect the format of the data on the disk (twofish-cbc-null). It just specifies a different method (sha512+aes instead of just sha512) to compute the binary key used for encryption. > LN> Please file a bug and assign it to me, > > I am not sure, we will really end there, but ... maybe. > (I personally, I am already migrating my encrypted disks ...) Looks like you are a brave man since you already tried to use your crypted images on factory :-) So I'd be glad if you could keep you old images around and verify that the new method to access them actually works. > Under http://en.opensuse.org/Submitting_Bug_Reports > I can find a list of "How to ..." -- which one applies? I've filed Bug #270833 myself. You may add yourself to CC if you are iterested. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE Labs V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
