Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Milan Broz <mbroz@redhat.com>]

On 03/14/2011 10:13 PM, Rudolf Deilmann wrote:
> On Mon, 14 Mar 2011 18:44:05 +0100

> I've tried to open some old loop-AES partitions with this version and
> kernel 2.6.38-rc8. It basically seems to work (however, it seems to be
> slower than original loop-aes as your comment regarding speed suggests)

yes, it is slow but is is generally usable. I tried to implement it
the simplest way (e.g. CBC first block tweaking is done using
dmcrypt IV generator, in theory it should be done using cryptoAPI etc).

> 1) Keyfile handling
> 
> The following didn't work with one keyfile:
> 
> cryptsetup --key-file /path/keyfile -s 256 loopaesOpen <device> <name>

Can you please send me the keyfile (with replaced all keys with zeroes or so
- I think the problem is just with EOL chars)?

> 2) Offset, skip and sizelimit support
> 
> It was common to store the gpg-keyfile in the head of an partition. See
> for example http://loop-aes.sourceforge.net/aespipe.README: 
> 
> ---
> 3.3. Example 3 - Encrypted CD-ROM
> [...]
> mount -t iso9660 /dev/cdrom /cdrom -o
> loop=/dev/loop0,encryption=AES128,gpgkey=/dev/cdrom,offset=8192 

Yes, I know. I was not sure is someone really using it :)

Maybe I added something already but not documented it, anyway
I want to add:

- offset should be supported using --offset switch

- skip - I am not sure how it works in loopAES, need to check.
If it is just IV offset on the first data sector, it is just one
line of code (we have the same for plain dmcrypt already).

- limited read of key-file from start of device should be done
using --keyfile-size. But the problem is that it is gpg encrypted,
and I do not want to fork gpg binaries from cryptsetup code
(at least not in this version).

But it can be probably workarounded using wrapper like
dd if=<dev> bs=8k count=1 2>/dev/null | gpg -d .. | cryptsetup --offset ...

Really, LUKS is better here in handling metadata on disk.
(And loop device support allows separate metadata device in next version,
I had just not time to finish that yet in 1.3.0)

> I was able to open such a partition with plain dmsetup; 'cryptsetup
> loopaesOpen' didn't work because '--size','--skip' and '--offset' are
> not supported. Perhaps you could add support for these switches to
> loopaesOpen; the necessary changes in cryptsetup seems trivial.
> ( '--offset' - but not '--skip' - is already mentioned in the manpage
> as a supported option for loopaesOpen )

yes, I'll fix it in next rc.

Thanks for testing it!
Milan