From: Milan Broz <mbroz@redhat.com>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Crypto operation
Date: Fri, 05 Nov 2010 11:16:55 +0100 [thread overview]
Message-ID: <4CD3D997.1040606@redhat.com> (raw)
In-Reply-To: <1288950573.4cd3d32d104a8@www.inmano.com>
On 11/05/2010 10:49 AM, octane indice wrote:
> In order to better understand how cryptsetup works, I'm asking if there is a
> 'big picture' or a debug mode explaining how things are done. (I'm asking
> about cryptsetup, not LUKS).
Then you are not asking about cryptsetup, but just about how dm-crypt works:)
Cryptsetup just configures dm-crypt, there is no userspace crypto related
(except LUKS operation or passphrase hashing in plain mode
- output of this is just volume key directly used in dm-crypt)
Start with kernel documentation
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob_plain;f=Documentation/device-mapper/dm-crypt.txt;hb=HEAD
you can get active mapped target (after cryptsetup configures it) with
dmsetup table --showkeys
you can configure it using dmsetup too
(dmsetup is just wrapper around dm-ioctl calls)
> e.g. An explanation as. Password is taken from command line.
> A read is made through /dev/mapper/crypted_disk
> The first block is read. The AES-128-cbc operation is computed with options
> like, iv= K= or salt=...
> When we write a block, then which things are done, and so on.
that's not job for cryptsetup, this is how dm-crypt works
Example: in plain mode:
- cryptsetup reads passphrase, hashes it using specified hash alg
and use it directly as volume key
- in luks mode it decrypts keyslot and read volume key from there
The enryption in dm-crypt is common mode for storage FDE, each sector (512B)
is encrypted separately with given cipher and mode) and initial vector.
E.g. aes-cbc-plain : used cipher AES, cbc mode (so the 512B sector is divided
to 16bytes cipher blocks for CBC) and with initial vector "plain" what here means
just sector number.
> Is there a tech documentation explaining that? The goal for me would to use
> openssl in order to make a decryption of a disk ciphered by cryptsetup and
> vice-versa.
That makes no sense to me (if you are using Linux), except some exercise
with openssl.
What is the real goal here? Can you please explain it?
> In a second time, I would think that it works the salme way with Luks,
> excepts that the password is read from the luks header nad crypto operation
> begins beyond the luks header.
passphrase in LUKS mode is neither derived nor related to volume key used in encryption.
passphrase just unlocks the slot where the key is stored.
Milan
next prev parent reply other threads:[~2010-11-05 10:16 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-05 9:49 [dm-crypt] Crypto operation octane indice
2010-11-05 10:16 ` Milan Broz [this message]
[not found] ` <1288956581.4cd3eaa52d8ff@www.inmano.com>
[not found] ` <4CD3F6AF.60808@redhat.com>
2010-11-07 13:25 ` octane indice
2010-11-05 14:18 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CD3D997.1040606@redhat.com \
--to=mbroz@redhat.com \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.