Re: [dm-crypt] Migrating from loop AES to dm-crypt

[Arno Wagner <arno@wagner.name>]

On Fri, Sep 14, 2012 at 06:35:19PM +0100, Nick Battle wrote:
> I've just upgraded from openSUSE 12.1 to 12.2. I find that the latest version of
> mount and losetup do not have the file encryption options they used to, since
> everyone should have migrated to dm-crypt. The trouble is, I now have some
> encrypted backup volumes that I cannot read!
> 
> I used to mount the archives with:
> 
> 	mount ... -o loop,phash=sha256,encryption=aes128
> 
> It looks like I should be using the loopaesOpen option to cryptsetup to
> mount these now, but I cannot find a combination of options that works. 
> I'm trying the following:
> 
> cryptsetup loopaesOpen <device> <name> --key-file pp --key-size 128 --hash
> sha256 -c aes-cbc-plain
> 
> Where the file pp has my passphrase (without a newline) - that I used to
> enter at the prompt mount gave when using the "-o loop".  This
> successfully sets up the mapper, but the result is not recognizable as a
> filesystem (I think it's ext2).  So I assume the crypto and/or passphrase
> hash isn't quite right.

Yes. As there is no metadata it will do the mapping even if the
parameters are completely wrong.

> I'm afraid the archives are so old that I don't know which options I used
> to originally create them, though I almost certainly chose "defaults".
> 
> Can anyone help?

I also have no idea what you need, but loop AES has no metadata,
i.e. the correct options need to be given every time. That
means your openSUSE 12.1 gave them, either because it was the
defaults used there, or because they were encoded somewhwere
(crypttab?) 

In the first case an OpenSUSE 12.1 life CD should help.
In the second case you need to find the parameters, for
example in a backup of the old system.

If you get the container mapped with the old openSUSE,
   dmsetup table --target crypt --showkey /dev/mapper/<device>
should give cipher, mode and offsets. (Also master key, 
don't post that or cut it down to first and last char or 
the like).

If you figure it out, can you tell me which parameters worked
for cryptsetup, so I can add them in Secrion 7 of the FAQ? Thanks!

Arno
-- 
Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell