[dm-crypt] cryptsetup and loop-AES devices

[dm-crypt] cryptsetup and loop-AES devices

[Markus Porto]

Hello,

I have a very stupid question concerning dm-crypt: I recently moved to a new
laptop on which I installed Debian squeeze. On my previous laptop (which run
Debian lenny) I used dm-crypt for USB sticks etc. and loop-AES for CDs/DVDs.
In Debian squeeze, somehow loop-AES does not to work anymore (there are a
couple of reports concerning that), but I read on your web page
http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions that
dm-crypt can also handle loop-AES encrypted devices.

I create an encrypted DVD of the directory /tmp/encrypted_dvd using

cd /tmp
yes "" | dd of=/tmp/encrypted_dvd.iso bs=512 count=16
head -c 3705 /dev/urandom | uuencode -m - | head -n 66 | tail -n 65 | \
 gpg --symmetric -a | dd of=/tmp/encrypted_dvd.iso conv=notrunc
genisoimage -quiet -r /tmp/encrypted_dvd | \
 aespipe -e AES128 -K /tmp/encrypted_dvd.iso -O 16 >> /tmp/encrypted_dvd.iso
growisofs -dvd-compat -speed=8 -Z /dev/dvd=/tmp/encrypted_dvd.iso

so that the first 8192 bytes contain the encrypted keys.

Previously (with Debian lenny), I mounted the DVD using the options
`ro,exec,loop,encryption=AES128,gpgkey=/dev/dvd,offset=8192' which does not
work anymore (error message `ioctl: LOOP_SET_STATUS: Invalid argument,
requested cipher or key length (128 bits) not supported by kernel'). If I
understood properly, the point is that cryptoloop support has been dropped
from the squeeze kernel.

In any case, I still need to read my old CDs/DVDs: How can I do that using
cryptsetup? I read on the web page mentioned above that

losetup /dev/loop0 /dev/dvd
cryptsetup -c aes-plain -h sha256 create encrypted /dev/loop0
mount /dev/mapper/encrypted /media/encrypted_dvd

should do it, but this does not work (/dev/mapper/encrypted is not an
ISO9660 filesystem). I tried to add options -o 4 or -p 4 (I understood that
the size is in blocks and that block size is 2048 bytes for DVDs), and also
several other values such as 16 (block size 512). How do I have to call
cryptsetup in my case?

Many thanks for your kind help.

Best regards,
Markus Porto

Re: [dm-crypt] cryptsetup and loop-AES devices

[Milan Broz]

On 12/03/2010 08:11 PM, Markus Porto wrote:
> Hello,
> In Debian squeeze, somehow loop-AES does not to work anymore (there are a
> couple of reports concerning that), but I read on your web page
> http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions that
> dm-crypt can also handle loop-AES encrypted devices.

cryptsetup (resp dm-crypt) cannot handle loop-aes multikey yet.
(that info is just about old setups)

I want to add some compatibility mode but it is not priority currently
(it requires kernel patch).

Milan

Re: [dm-crypt] cryptsetup and loop-AES devices

[Arno Wagner]

One thing you can try is to compile and run your own kenrel.
I have been doing that with Debian for 6-7 years now, without
any major issues. Its not even a "sort-of" Debian kernel,
just a hard boot of a kernel from kernel.org without initrd, 
both with modules and anything statically compiled in. I
am currently running 2.6.36.1 with lenny.

I have never used loop-AES, but a short look at the instructions
at  http://loop-aes.sourceforge.net/loop-AES.README seems to 
indicate the module and tools can be built up to including the 
upcomming 2.6.37 kernel.

Arno


On Fri, Dec 03, 2010 at 08:11:33PM +0100, Markus Porto wrote:
> Hello,
> 
> I have a very stupid question concerning dm-crypt: I recently moved to a new
> laptop on which I installed Debian squeeze. On my previous laptop (which run
> Debian lenny) I used dm-crypt for USB sticks etc. and loop-AES for CDs/DVDs.
> In Debian squeeze, somehow loop-AES does not to work anymore (there are a
> couple of reports concerning that), but I read on your web page
> http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions that
> dm-crypt can also handle loop-AES encrypted devices.
> 
> I create an encrypted DVD of the directory /tmp/encrypted_dvd using
> 
> cd /tmp
> yes "" | dd of=/tmp/encrypted_dvd.iso bs=512 count=16
> head -c 3705 /dev/urandom | uuencode -m - | head -n 66 | tail -n 65 | \
>  gpg --symmetric -a | dd of=/tmp/encrypted_dvd.iso conv=notrunc
> genisoimage -quiet -r /tmp/encrypted_dvd | \
>  aespipe -e AES128 -K /tmp/encrypted_dvd.iso -O 16 >> /tmp/encrypted_dvd.iso
> growisofs -dvd-compat -speed=8 -Z /dev/dvd=/tmp/encrypted_dvd.iso
> 
> so that the first 8192 bytes contain the encrypted keys.
> 
> Previously (with Debian lenny), I mounted the DVD using the options
> `ro,exec,loop,encryption=AES128,gpgkey=/dev/dvd,offset=8192' which does not
> work anymore (error message `ioctl: LOOP_SET_STATUS: Invalid argument,
> requested cipher or key length (128 bits) not supported by kernel'). If I
> understood properly, the point is that cryptoloop support has been dropped
> from the squeeze kernel.
> 
> In any case, I still need to read my old CDs/DVDs: How can I do that using
> cryptsetup? I read on the web page mentioned above that
> 
> losetup /dev/loop0 /dev/dvd
> cryptsetup -c aes-plain -h sha256 create encrypted /dev/loop0
> mount /dev/mapper/encrypted /media/encrypted_dvd
> 
> should do it, but this does not work (/dev/mapper/encrypted is not an
> ISO9660 filesystem). I tried to add options -o 4 or -p 4 (I understood that
> the size is in blocks and that block size is 2048 bytes for DVDs), and also
> several other values such as 16 (block size 512). How do I have to call
> cryptsetup in my case?
> 
> Many thanks for your kind help.
> 
> Best regards,
> Markus Porto
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier