[dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Milan Broz]

The first cryptsetup 1.3.0-rc1 release candidate is available at

   http://code.google.com/p/cryptsetup/

Feedback and bug reports are welcomed.

p.s. Please let me know if you tested crypto backend support
or loop-AES compatibility mode (and report problems, if there is any:-)

Thanks,
Milan

Cryptsetup 1.3.0 (rc1) Release Notes
====================================

Changes since version 1.2.0

Important changes
~~~~~~~~~~~~~~~~~
 * Several userspace crypto backends support

   cryptsetup now supports generic crypto backend interface which allows
   compile package with various crypto libraries, these are already implemented:

   * gcrypt (default, used in previous versions)
   * OpenSSL
   * NSS (because of missing ripemd160 it cannot provide full backward compatibility)
   * kernel userspace API (provided by kernel 2.6.38 and above)
     (Note that kernel userspace backend is very slow for this type of operation.
      But it can be usefull for embedded systems, because you can avoid userspace
      crypto library completely.)

   Backend is selected during configure time, using --with-crypto_backend option.

   configure --with-crypto_backend=BACKEND (gcrypt/openssl/nss/kernel) [gcrypt]

   Note that performance checked (iterations) in LUKS header will cause that
   real iteration time will differ with different backends.
   (There are huge differences in speed between libraries.)

 * Cryptsetup now automatically allocates loopback device (/dev/loop) if device
   argument is file and not plain device.

   This require Linux kernel 2.6.25 and above (which implements loop autoclear flag).

   You can see backing file in cryptsetup status output if underlying device is loopback.

 * Adds luksChangeKey command

    cryptestup luksChangeKey --key-file <old keyfile> <new keyfile> [--key-slot X] 
    cryptestup luksChangeKey [--key-slot X]  (for passphrase change)

   This command allows passphrase/keyfile change in one step. If no key slot is
   specified (and there is still free key slot on device) new slot is allocated before
   the old is purged.

   If --key-slot option is specified (or there is no free slot) command will overwrite
   existing slot.
   WARNING: Be sure you have another slot active or header backup when using explicit
            key slot (so you can unlock the device even after possible media failure).

 * Adds compatible support for loop-AES encryption type in loopaesOpen command.

   Linux dm-crypt in 2.6.38 and above supports loop-AES compatible mapping
   (including multi-key and special CBC mode, all three modes are supported).

   If you have raw loop-AES keyfile (text file with uuencoded per-line keys), you can
   access loop-AES volume using
     cryptsetup loopaesOpen <device> <name> [--key-size 128] --key-file <key-file>

   If you are using GPG encrypted keyfile
     gpg --decrypt <key-file> | cryptsetup loopaesOpen --key-file=- <device> <name>

   Do not forget to specify key size. Other ciphers than AES should work but were
   not tested. Version and hash is automatically detected according to number
   of lines in key file.

   Please note that loopAES dm-crypt mode is provided for compatibility reasons
   (so you do not need to patch kernel and util-linux to map existing volumes)
   but is is not, and never will be, optimized for speed.
   It is experimental feature for now.

 * WARNING: This is the last cryptsetup release which supports library with
            old API (using struct crypt_options).
            These calls are deprecated since 1.1.0 and AFAIK no application
            is using it in recent distros. Removing compatible code will allow
            new features to be implemented easily.

Other changes
~~~~~~~~~~~~~
 * Increase libcryptsetup version (loopAES change), still fully backward compatible.
 * Fixes static build (--disable-static-cryptsetup now works properly).
 * Supports secure data flag for device-mapper iotcl (will be in 2.6.39,
   forcing kernel to wipe all ioctl buffers with possible key data).
   To enable this flag you need new device-mapper library, in LVM2 2.02.84.
 * Add copyright texts into some files and adds GPL exception allowing
   to distribute resulting binaries linked with OpenSSL.
 * Update FAQ.
 * Fix message when locking memory fails.
 * Fix luksAddKey return code if master key is used.
 * Update some text files in distributions.
 * Add docs directory with Release Notes archive.
 * Do not hardcode loopback device name in tests, use internal loopback library.

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Rudolf Deilmann]

On Mon, 14 Mar 2011 18:44:05 +0100
Milan Broz <mbroz@redhat.com> wrote:
> p.s. Please let me know if you tested crypto backend support
> or loop-AES compatibility mode (and report problems, if there is
> any:-)

Thanks for your work, Milan.

I've tried to open some old loop-AES partitions with this version and
kernel 2.6.38-rc8. It basically seems to work (however, it seems to be
slower than original loop-aes as your comment regarding speed suggests)

Two notes:

1) Keyfile handling

The following didn't work with one keyfile:

cryptsetup --key-file /path/keyfile -s 256 loopaesOpen <device> <name>

but this did work:

cat /path/keyfile | \\
  cryptsetup --key-file - -s 256 loopaesOpen <device> <name> 


I didn't have this problem with another keyfile.


2) Offset, skip and sizelimit support

It was common to store the gpg-keyfile in the head of an partition. See
for example http://loop-aes.sourceforge.net/aespipe.README: 

---
3.3. Example 3 - Encrypted CD-ROM
[...]
mount -t iso9660 /dev/cdrom /cdrom -o
loop=/dev/loop0,encryption=AES128,gpgkey=/dev/cdrom,offset=8192 
---

I was able to open such a partition with plain dmsetup; 'cryptsetup
loopaesOpen' didn't work because '--size','--skip' and '--offset' are
not supported. Perhaps you could add support for these switches to
loopaesOpen; the necessary changes in cryptsetup seems trivial.
( '--offset' - but not '--skip' - is already mentioned in the manpage
as a supported option for loopaesOpen )

mfg,
 Rudi

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Milan Broz]

On 03/14/2011 10:13 PM, Rudolf Deilmann wrote:
> On Mon, 14 Mar 2011 18:44:05 +0100

> I've tried to open some old loop-AES partitions with this version and
> kernel 2.6.38-rc8. It basically seems to work (however, it seems to be
> slower than original loop-aes as your comment regarding speed suggests)

yes, it is slow but is is generally usable. I tried to implement it
the simplest way (e.g. CBC first block tweaking is done using
dmcrypt IV generator, in theory it should be done using cryptoAPI etc).

> 1) Keyfile handling
> 
> The following didn't work with one keyfile:
> 
> cryptsetup --key-file /path/keyfile -s 256 loopaesOpen <device> <name>

Can you please send me the keyfile (with replaced all keys with zeroes or so
- I think the problem is just with EOL chars)?

> 2) Offset, skip and sizelimit support
> 
> It was common to store the gpg-keyfile in the head of an partition. See
> for example http://loop-aes.sourceforge.net/aespipe.README: 
> 
> ---
> 3.3. Example 3 - Encrypted CD-ROM
> [...]
> mount -t iso9660 /dev/cdrom /cdrom -o
> loop=/dev/loop0,encryption=AES128,gpgkey=/dev/cdrom,offset=8192 

Yes, I know. I was not sure is someone really using it :)

Maybe I added something already but not documented it, anyway
I want to add:

- offset should be supported using --offset switch

- skip - I am not sure how it works in loopAES, need to check.
If it is just IV offset on the first data sector, it is just one
line of code (we have the same for plain dmcrypt already).

- limited read of key-file from start of device should be done
using --keyfile-size. But the problem is that it is gpg encrypted,
and I do not want to fork gpg binaries from cryptsetup code
(at least not in this version).

But it can be probably workarounded using wrapper like
dd if=<dev> bs=8k count=1 2>/dev/null | gpg -d .. | cryptsetup --offset ...

Really, LUKS is better here in handling metadata on disk.
(And loop device support allows separate metadata device in next version,
I had just not time to finish that yet in 1.3.0)

> I was able to open such a partition with plain dmsetup; 'cryptsetup
> loopaesOpen' didn't work because '--size','--skip' and '--offset' are
> not supported. Perhaps you could add support for these switches to
> loopaesOpen; the necessary changes in cryptsetup seems trivial.
> ( '--offset' - but not '--skip' - is already mentioned in the manpage
> as a supported option for loopaesOpen )

yes, I'll fix it in next rc.

Thanks for testing it!
Milan

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Rudolf Deilmann]

[-- Attachment #1: Type: text/plain, Size: 906 bytes --]

On Mon, 14 Mar 2011 23:10:37 +0100
Milan Broz <mbroz@redhat.com> wrote:
> yes, it is slow but is is generally usable. I tried to implement it

Yes, it's fast enough for compatibility access of old disks. People
should switch to xts, if they want better speed.

> Can you please send me the keyfile (with replaced all keys with
> zeroes or so
> - I think the problem is just with EOL chars)?

It seems to be a problem with (unusual) large keyfiles.
Sampe keyfile generation: 

for dat in `seq 1 65`; do head -c "$x" /dev/urandom | \\
openssl enc -base64 -A ; echo ; done >keyfile

On my machine, $x greater than 90 results in different internal keys
for 'cat keyfile | cryptsetup ' and 'cryptsetup --key-file keyfile'. If
the key-file is even large, I get at least an error message. Sample
keyfile ( x=91 ) attached or at http://pastebin.com/PeLUZ5a4, if the
mailing list removes attachements. 

mfg,
 rudi

[-- Attachment #2: keyfile --]
[-- Type: application/octet-stream, Size: 8125 bytes --]

7Dho36pWvdZM3Jt9q0MQnT4WckuZ4XqHKVnMx19NTmPGEWn8/DRUj4fD3FmBki6l24wvX/zthWppAf4sctiJfXGM+1FA+brsnmMcRdhyDIwPc6V5REGfa1AIGA==
6uUnIHqyMVW4nfKmbHjAtQvAqOlRO/Uc3SoTNAhklUV46ek+hTeCaemEAuddiyeAz0OD7N7BG2LT8bQz5pgjbP1+j3v8V2aQ1oxdnMXMv7pFXaof/ok2wWpZAA==
CRG8WMFm1/9R//SFy75c3RYKFLCx3oHaEsbIpw0ko4ttH5DMaSJzmX/SgbUhajFtk6IYyoVPNjXD71d/7mZwyQ9bVmbE41fGu6XfstJep3TiYEnr0sez5DGUhA==
0NhHZgMvvnyuuXLSve2KlEa+Z80s1rckBUICbmG47/K6ETPNjl1avHdkRkxjeoIaeo6aXC1a6gzUu8ZE2DI9+dqao++6PncDZcMNY2B+r046MmQcH1NFYDFmFw==
YCVsN7BDaK/b1uBjHm84/Om67oT8igyWriJzRUMzI09SLcQoZQxx6e9hi5KsXCQmxc24ZZPOeRpFD/xVmEsbkWrppiQPJ/qknPaZvGkvoITels23Iax0SdzEBw==
v7ZD4idg6WXIw5wHfW7drigl39wf4mHUYW7A9U8nempq2yAZfVFSrD9eNa4XzFglwWPj4CzTtsu4C0va1+Tz8+d4671SXhqDfJ1ZkktkyNKd62oZ5VRjj1MLfg==
tFOqtpjaSRXskcf71XVI4BXuzbPjb0woapzxaxI12ywn8fWJ+8ZUjfDcRYEixTh1fb30bq+3O/lvg6Ir4A1fTd3dnlo1+7hPHfOxYEzBbq1Omh4q9GToVQdZcw==
qQcrV1OdZlgzotsPPwoYFlopRaU2M7inQz6Jl6es/eCmRwNYx39Bur5LLVLEPeSLh5/tpxJjFDECPD+NIXejqKIMAI5VatxhSs60wFWAcOm1WUsduheH5/evyQ==
3H6nr4nb5UsTUubRwF1x9YsmBp5V9YWpOLSRYlA+d226FrWvEpJ/K2EPKzHMyn1TM+hP/WZFB9xJZMMax3PIcpqhOrh1NJ8SWHsA61J8/FhTo+Q2Ug82b4VknQ==
e17kofx7YtD8sH3uBdjo6L4sDlIJxKPec2/vgl50ZChdGKWSpggoHZs4hzDrCSl28nd7gIBJdrhb/VlRria7US2RGJfNOqWzFzss1a3ma5zCraNbB3+aMLJjMQ==
QEoxmvpvv/uH2QGKKaXjN+NSxSoru04per+2VHkmol2zoHx7mdOyVmPA8Zz2YGS5VmZFr8GGjrNv7oLLVuUc27+f+r8Zv2qkrda0TmO9moXrWN59X5fAJMl33Q==
eeXtPSpAQAigF2uMRenafIhcieLSNgDw9zdiudxconSKJ114z4o6wFxRb83Y5YvyZ9DWdRwJJVJdPmPgUVeI/FPji4VVNA7HKuT2Lj9u/+W5iGV8PoaVn2Gt+g==
zvFziCxUAq9sq62/VlGzJqKbpJhSZ+F8DfqrX93GYH1MIbLyQEHLJTjm4Sph6ozrXoWyuLRxsEklNEnX8xMZ3qkxubD9zKcdZf+HndVGCF7usrumEKB6Vt6iuA==
7/YFQSVl1Xe8C0RSH2sKAJm0018N/CaBOwA8IaVgbiB6PeB/1kxw5zDmpk1oAwUKebC/WhPwd1ZwxqFNdHKDFdww468xq2Qweo4I4mGujYJx95Bnowm/JuVvdg==
nvVCGL4fFG4Rl2s0de7UPo1aNxVu85vnPzWPh/Qy86LCWsx9y++H4314HRR9UyTvuGsxjHcNduGbWZUbS/MUCm2cEM8SOCDBsNHxzvWhcSVMlGuPywuHnd+ubg==
V01QjSiAg8LdlXw/waU5AGfeab9TuKTWcuLOy7nNSlZ6qLJrHocZVOweFfUrWWotYeAk9OP+cboQ7doriWkcTES9VH/kO6o77PrZzz9uM0uzZ7xD/xhX7IMS6g==
X/rnTtkU/sdFV0Zw3794ZUllUi6mRQVIRDIqgnUyZmMEdJvVZZD7dsT4e9S6d5rNWIZqlShOHm/pNVn7+9yo0HH668TxX7X7ErcjGhrwdFRGH62ZpgeJII8ydA==
mA14/QNfrDCcv2jWjSrPplVKF9DJhl0kyhG4T+SEmn7Is6ob/kG3J5ShEb8Hks+0WzzKDf+DuOASSjJ0wX8pGnHmUXGsc0PRvpCbXmwS2SsGlxeuyuXa86+YNQ==
JoeuwZBedr6jEiAhJgZthWzFXzCkEpd2SCFPVVSHFJzxW937WlARn/i3qgJmuCzfBRUel4U0dp8TeFg/7s6MHoViNfRax9Ks2L7nnxKk/Acax+Mye0cUzdBmRQ==
xzVSSGlZzNgwvuQ8VMeoLy3linjeRagoDbB+/JD+Ga58goPrBnOwsogaAZ13LUwzGJmpyEOFLOc7k60v+BBTJL8nZMgNiokf9pfrLWdqPyV+MwZQz6zqkPNyRA==
Iuy9rUNt+ApUCdXPemNJlsdkuK6ks+QkBZtf9Vo/97E2O0DukNbHrlpwZYICRO1GdHP2XIlvusgGiFkqKZwKGuCtEHIslwIragG1b09wckBbfnZSDLrQ9fOTiQ==
dJciQqiugZN48C+w25k54YsPJ5M98SAkGV+PC30MRfAPrtV1q8JgFP8I8w8/dz1rVZSu2A4ozDGgNU9ZHiZSaVqTFPNRvds2hzvLzSuw9JEY8vO9qedmCX7Z7w==
zIauBS2sV+pj56w0ez6VSavdekuuMYAVGINqCFaXh4YGWbJ6/VBgqRcHyz9jcT86Dl2Gt4CjwNmY3AHVcrpw2w3wXJsdhV6KBBLCUrR8AaPsUm7lFswnUULmLw==
LwtG2OwoirAyt5M19yfkJofASGWMEQ2+t6P57tCoFP9aNNcx6mWjXRYXXPGBDpWI6qP9g0Ts92W0SiowA/SBvlER773192D97vVtthd0CvbdgFLOGFD9rpuEaA==
V1Y2qUe80m6guTm02phehm/o0a3q4PPBY6l9ZJPH/So+N0E1oM27ZYe/scHJqAT6lcHIex6DsVwmreaB5FhLDrQFX8fQVJ7vOlfjb+kgt/1+hEoBcf8avhRD8g==
+TWEWyvVzKx3mCTBVqkUjyvkChTYHH8qhRXd6C+CQjsv0/NP/p8hOLR0adROfA+CIXmqCCBHxL8ysogNECYlA8p+JcTzsbDMH9lzzKuyD9YhBaILvaNtMn969Q==
Tn/mmFCPeYjr5GZFrBGdUKo0VY408XVER7IP170GmZ6c53hK1ayzG9pZmBnm88edBjBf57zRN1mmRdTHQ6y+cjY41urdl7dqQTkiC7y9SXIdAuV+S9LPJ8l7Ew==
MWQKe62d9TPTx3Hr+cV5WZX5TxiojvTGKXnypMpjKQul1h2vGinzsT2IfoI68F9WiDAscHDtj8EVf2UM3t9+jcBOO1L1wFs4HJcjBErQsHHQkHnHZvEcv/lwaA==
xc9AOCZMZh/aNZ1BL0UKLiUj//fYWyNHSUNVSqJq9iimmZPWbEOTd8pW75bzfCe+tR+83luO9Ln+EuRQnsYfn1RRP0Tkr2/WochKwHXnPbIb7cxdCmoiOR0fEQ==
3bS8G3wa0AM5ecG651wNHJSeHX46VfK8VRSQDWS0l0ITXRZPRgyiTKAm1UzoIm80ehlvbOvR3+Sqla4HEbzi3+b/MChAHAKRUYQW56S2NwQZH35FXWTeokvEEg==
K5FYJfC9vK7X9v2SdRzfPOMnD+smuHAi9gTK3clgjxDothyEnPG+FRLgcN1QEIHaYeSCVv8qRZbpbVu3SY2qDopUBoCsqJuRbu4Rd4JPm/dzisPR9wNK4Kcgrw==
d3ZAbElnIkwlB5LMuGV6MFGkQ+h0TgX/qsCcaC+gqe8Jtr543C+r+WnwH7QwyON/uX6nLMpi2+fd/gYhPLaRp2FbWVInCHidSEFbf2F9jIHdfmTedJqCoaA6PQ==
ZDbrNo/a7d7Zgiq/vW48YJA4DLsNgvEvtgnBJOR+YrUDaOeui1FEQpyQmS+UNuwlDTTH8+1U+Hof2ViHG6mx3YNTc3cPQUlgHLiPf+9x3Y3zbz8HrKJ3NnPT4w==
BVXSQeGjwgx3G0XohTe58MsdPe8TDPItdY+uopOhQ5HDs5WWEnLQrWQf5gXs8PMrYAYQy2EYw5AtMQFqV0QUJddHkH+KmQw9045cl/qFLkGpn5b8+8DNRYQfZw==
OyWQyC56hlIo68qYfmuP7OvfVocD+rTI7mu+wTFRy10itmBmy7x5mGR2Xq9jbIvM8/lpVcX92WqJ6Gjg5oHa0H21SByhNJ8RD88LihABmr9PGCnus96V/ZySFA==
UtdLzjoDBAsr2foTfAw6+ielFFlQOPS6riK6U8LDwylKPnDRbPSEeVUo5QaQxACjy6aYEp+ASpqWTf1qofaHr4A9XdoAjOuRxDdbiFKx/AAVkHcjHTv7VPtyMQ==
CuMnI/fgxckntA8ORBtwtp3avCqRYtmwCJcu1HqX91H53y9qq9rMi6JH2qJR2gGZ9AjJw6WlR9FHki2l3ReHI0ta8xtW/aUvbp6WDGW4UKE4W5w0oGzLySMGog==
mWq7DQebIqVX02b8i6E/I2uXL7SkUP5ITT4QCJRlHjfdrfYAIOF5/i4SH5R7+dd21csRexnsS4asnqdbT/bEQFEDMXwXNOJjPSgKqw9DPSk2x19yBta9uqKAXg==
cZkyo6ICUU/v3IoaIiZwv3LPwYPvHbCWAXqFLu7U3iihHII6xMy/nL3P5P0qs2AYroHyTyO4XxD9xaQA4mJKbyDOmFxT4vDjj3fNYzOVU8x/MIF06EePFABr0w==
iGdfZCkHr3BtrJD/9VYJSF68nal/QgR5jy79V2mqunfEw5UdV9hX6MmvNd3fPOMfUnaJrFWvecOS1+AxhghqxOYihfW3wq6rCu3FBNJDKQvG5Z178FUXGF8KWw==
CJmMn0QLHxrbOhkpJXxxdJwMLKGcG7hw90PwzyiwOgD8LYnkk2qHRnnxYrfSLqcRVZBGOSLA1dLIX6MC7LK3g8h0YCxdrBaK2VK5nWM6npBUIOo4Z5vlHakd4w==
bRT03DE5h078PwlsY8BzHkP+UDNjMSsDHg10DwE8Qeslfer43yG7yhht0jnPk6H/oe+xOwQIUqvC5P8z1nBRrMGk0UqJ7Aa7j+Q9H61BPd6Ay8xwuGeUrNTEnw==
1c4Cqoopqkegt3dir041PQviXFwcTNnHzGTHax9A7lD33jolJkwYhFR4ETxtfuWTC0/ZIhVwzdZJA1u+mwiDZq278EQypLOwi4Woq+eoHSifVhp6czajE7BD3w==
Do1EYvNsJecrtx2aasXWRA0gc6Dc82Ta5R4NvQdSNg1htLEk9SwVH8zem8B+aa3ebQabLD+8wAxtGEu0St0jcpZfvCaApQM8xDQbAaIHehDDfYz0Le6oIsBciw==
VrhYEKxONKuLDtBf+pkax2QJ1NdoE3CCbCS/p24I+zAjaMU3cv0np70iF9vQ9f6PFDqCkyDfB4CmK1eAnavUpgw2nbIOE0l8ejZaH0KW+QphqHQ5LW8N8DyLiw==
GvX/FGlgAqV7P6wk9wYQAy+QoGfCo1JHkfjQYJKlSlv4O7EVbRyvUGtv/maN/vv5WJkOCN76py/qFy6/k4F7dMWs87DJQJKGJsyvufPJU6MY8P09R5M7STMzXw==
Km6ackshA3Jv5GJVUpTosKZCW3vBArLuYP7OYwTIUdixoPmgIkhL8TwAV1668tpT1hPbixP08AZTYhH/Ai1lUnaFtaooTk+jr88EtqXzv8w8fvonmgKMWkJQoA==
T5qW7lxq6U78wH7VgizSpZqiQV/m7J90BVfx73gelVejnU0xh3WTsnK/hDkA5K19iCRTiB+rVksndJFxOqOgakEEszoAklwpl1EvGIXtpmRSMwOAPj1pQl0qYw==
o1gxoZTnyFzQXr4yEdpDVPR0BbWhEk8UzxoF+OhRQ+m7+EQ8whDepYLodzlxpk7hewDt8hvkp5q9EbZVLb52RNg3Z/liCo9Au4I3yhADMiYP3GsZPO5QRQ0r1g==
io6bhfDn8tIRyOyoTxTfJ6WZQfCaKC4gfI0H6yz5wDM1a8oA/y2zQA/aVSuJ9e2nr4aRmR2thXjrrBabsSxunj2LkZPJlhPa2tEAk/H5fgo6tWlCGt+p8w++CQ==
tBmU+W0CuhmRe9wByBbzha+7pr/Tsgly8x6UQQWHxbARR/vlYi+dhwJsBWEonwFbfdpUk7yF26bCqDLGZSzUmB5VSHNugEZXlUREfLkiEHDkL93HtPd5y20jaw==
GdNhW9cQ1jcamgGbYIFeTmkZaeyuO4G4vBdp3OBVPL2UOGk1bJkGBmEYB+WcYERyxE2duG+LUtmt6vLpXIZbSkyOQbPH0Mz8df5RBBn+RXYHaQNqIaQwPtxDnQ==
SfADiUraIomkf3edBMULh3ll+q2PeP12Xnp4Jxd29ftgV5rSGOIIeInGRXhXm2MZ0AiL0TMYHpO4Ub2/CerclfDMiz0mj0dvu72HSKnA2Qjy2lyzyCEmfj5C8g==
VOmz0Ta8Q5Z4/wf32dmAlhVA8dLPeYIeJoovPvyYWxxWKq9QD61edbI3ZlCFMVtkUl2EdqjkJJ+i9uHikPhgf1JWSe8TlDesA7tZaV2cE2B7TJbMqHKepKUCGg==
i9FdCf0mhptKRwmPYEucUQjpMOjcQSyFZFtcHUc33G34hgI58Jz3aPiDFuZoEvI9g4AMDmYOhChqsKVcTiZNzBOFm6tshwyKObUpg5li+6Lj1Lzh5xCbxRlFJg==
yAnqi+NY/xNA6PVsfdcSqBd5PU21x/ItPuml6juLShB7UcFvAokRiR/AfgY4l+QFw+AjNgfAbyG6kkqMqSkDJUukJvuA9B1Yby5h69dlGj/Lm9Ova2Ibi/bNwQ==
0gypGnunuEjOdTxcTuGkRrCKSv2Mhi0sBKBbcydsPJdmE4q0p7r5lqm3GBB46HBHtc6mBt0g2ptQVkSiXNQUk8h77jwy3zqleliuNvNzfw2Oboqopnd4no4GPQ==
n79q1xnzIo1OwJHUzLzhErEG5kDqUBr6gZ8nGBKEP1UTckfVQWREEISXXMTDXBUAUf0CSTJaFy2n7sqx5qHKjv4tAywbFkQsN0l6VaB0rsDu8mYOs2798bhOjw==
qzlGPi6rTKh/eAGt01b0vV3uNPYA7v3w8IF/18g2EOaAQUAN2PE11KLYGgzCUgf8HVN+tRD130Vz8Zb7mN083K9kChNW3iele1DkfgUtmrBdTB/vlArXVqTJbw==
CPye4sS0SPH+FiytK+2d8aKeeRdeqF6Im/m7zWUsyx49alD80hcxE91MVrsUJysTk5OO5WOeyl3oZpcCA3FIigvVEDIYP/HhlgsEBJoHQ9zXt1SiR2ZS7o82pQ==
GoEfasergRFwAlz46U4qNykN7qaGRe6TyvVI4VN9byNuibLeEcOMfEmdyVYwHzttbW1FB5/r6utru93rO0wRkWAmgeKOkA1ulTOi3PISyZDtnbpB7BtAvcqw4w==
YodWUcJ7K8enrz1l0i/N1eCxLR8S7nlOK8LgEKeFMn36YvOUZxBAfbl476WU7pw7DpCtemFphWyPnQ/8MEc+ADpuNZP+qArt1FTox9HcVQ0aIayH3llgLMN/Gw==
kmDkyVmJEzBIdlkdcuijCQI1rFhqPwSz38CZjlzlgX18Z6zlzuoIHH145eAxeNQ7ZE5bVvnSFDZYOsdV8ETGCqO+5aSfNSThz4hptLOahvNhzfoVb/9pRrbLyA==
GXLuI3YBwccb9+mfQklercr1knkUEVqNpK/atmNqnr1soAeI9qMgI0liS1NB/mKBAu++ATFc1IErorLOf78p/CjVF0zTLHjv/QOn6D8XciGIqQ9Iq3Y8y3wocQ==
5qPUDByDJIfXsxhPeqdenrReAur8fpcsKAhtS76WKKO9L+dfEgnv3EI6qX6QQ6YATGLhFrSibL2TXgRTgqvT/EEcakYlwLe70S2XUqwusDpJbhGtZy0lYuV49w==

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Arno Wagner]

On Tue, Mar 15, 2011 at 12:45:59AM +0100, Rudolf Deilmann wrote:
> On Mon, 14 Mar 2011 23:10:37 +0100
> Milan Broz <mbroz@redhat.com> wrote:
[...]
> It seems to be a problem with (unusual) large keyfiles.
> Sampe keyfile generation: 
> 
> for dat in `seq 1 65`; do head -c "$x" /dev/urandom | \\
> openssl enc -base64 -A ; echo ; done >keyfile
> 
> On my machine, $x greater than 90 results in different internal keys
> for 'cat keyfile | cryptsetup ' and 'cryptsetup --key-file keyfile'. If
> the key-file is even large, I get at least an error message. Sample
> keyfile ( x=91 ) attached or at http://pastebin.com/PeLUZ5a4, if the
> mailing list removes attachements. 

Wups, buffer overflow or cutdown (with the later being a whole
lot better, but still a problem)?

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Milan Broz]

On 03/15/2011 02:02 AM, Arno Wagner wrote:
> On Tue, Mar 15, 2011 at 12:45:59AM +0100, Rudolf Deilmann wrote:
>> On Mon, 14 Mar 2011 23:10:37 +0100

>> On my machine, $x greater than 90 results in different internal keys
>> for 'cat keyfile | cryptsetup ' and 'cryptsetup --key-file keyfile'. If
>> the key-file is even large, I get at least an error message. Sample
>> keyfile ( x=91 ) attached or at http://pastebin.com/PeLUZ5a4, if the
>> mailing list removes attachements. 
> 
> Wups, buffer overflow or cutdown (with the later being a whole
> lot better, but still a problem)?

There are no fixed buffers :)

Increasing LOOPAES_KEYFILE_MAXSIZE helps.
(it is clearly visible in debug output - when reading from stdout, it
reads 8125 bytes, but from keyfile it is limited to 8000).

I will also limit LUKS keyfile in next version, mistake will cause problems
(reading the whole device in locked memory -> OOPS or something like that).
I guess max 8MB is enough? We have already limit on passphrase from terminal
to 512 bytes.

Fixed in svn already.

Milan

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Jonas Meurer]

[-- Attachment #1: Type: text/plain, Size: 1247 bytes --]

Hey,

On 15/03/2011 Milan Broz wrote:
> On 03/15/2011 02:02 AM, Arno Wagner wrote:
> > On Tue, Mar 15, 2011 at 12:45:59AM +0100, Rudolf Deilmann wrote:
> >> On Mon, 14 Mar 2011 23:10:37 +0100
> 
> >> On my machine, $x greater than 90 results in different internal keys
> >> for 'cat keyfile | cryptsetup ' and 'cryptsetup --key-file keyfile'. If
> >> the key-file is even large, I get at least an error message. Sample
> >> keyfile ( x=91 ) attached or at http://pastebin.com/PeLUZ5a4, if the
> >> mailing list removes attachements. 
> > 
> > Wups, buffer overflow or cutdown (with the later being a whole
> > lot better, but still a problem)?
> 
> There are no fixed buffers :)
> 
> Increasing LOOPAES_KEYFILE_MAXSIZE helps.
> (it is clearly visible in debug output - when reading from stdout, it
> reads 8125 bytes, but from keyfile it is limited to 8000).
> 
> I will also limit LUKS keyfile in next version, mistake will cause problems
> (reading the whole device in locked memory -> OOPS or something like that).
> I guess max 8MB is enough? We have already limit on passphrase from terminal
> to 512 bytes.
> 
> Fixed in svn already.

please document these limits properly in the manpage.

greetings,
 jonas

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Arno Wagner]

On Tue, Mar 15, 2011 at 12:11:47PM +0100, Milan Broz wrote:
> On 03/15/2011 02:02 AM, Arno Wagner wrote:
> > On Tue, Mar 15, 2011 at 12:45:59AM +0100, Rudolf Deilmann wrote:
> >> On Mon, 14 Mar 2011 23:10:37 +0100
> 
> >> On my machine, $x greater than 90 results in different internal keys
> >> for 'cat keyfile | cryptsetup ' and 'cryptsetup --key-file keyfile'. If
> >> the key-file is even large, I get at least an error message. Sample
> >> keyfile ( x=91 ) attached or at http://pastebin.com/PeLUZ5a4, if the
> >> mailing list removes attachements. 
> > 
> > Wups, buffer overflow or cutdown (with the later being a whole
> > lot better, but still a problem)?
> 
> There are no fixed buffers :)

Ah, very good! (Not that I really suspected this was an overflow ;-)
 
> Increasing LOOPAES_KEYFILE_MAXSIZE helps.
> (it is clearly visible in debug output - when reading from stdout, it
> reads 8125 bytes, but from keyfile it is limited to 8000).

But a cut-down. Hmm. I think this makes sense, even if it can break some
things. But it should give an error rather than proceed, see below.

> I will also limit LUKS keyfile in next version, mistake will cause problems
> (reading the whole device in locked memory -> OOPS or something like that).

Indeed. What you could do is have it default to error instead of
to cut-down and proceed. That would make more sense, since
cutting it is almost always not going to work. The only case
I can think of were cutting works if is your key comes from
/dev/(u)random for swap or the like.

> I guess max 8MB is enough? We have already limit on passphrase 
> from terminal to 512 bytes.

If it gives a descriptive error message when the length is 
exceded, it is less critical. Also, a commandline option
to increase/decrease the limit may be a good idea, but I
would see it as non-urgent.

Arno

 
> Fixed in svn already.
> 
> Milan
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Milan Broz]

On 03/15/2011 12:43 PM, Jonas Meurer wrote:
>> I will also limit LUKS keyfile in next version, mistake will cause problems
>> (reading the whole device in locked memory -> OOPS or something like that).
>> I guess max 8MB is enough? We have already limit on passphrase from terminal
>> to 512 bytes.
>>
>> Fixed in svn already.
> 
> please document these limits properly in the manpage.

Sure. The loop aes limit was safety margin, I am really not sure which
configuration are even possible. It was set up according to documentation.

(And the reported keyfile was so nice, that it cut exactly the last
key so it detected 64 keys (v2 keyfile) instead of 65 and not failed because
of wrong key length as expected:-)

For the LUKS limit  must be documented and must not cause regressions
for people (that one is not yet limited in code, that remark above
was misleading, I just added TODO line.

Milan

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Milan Broz]

On 03/15/2011 01:09 PM, Arno Wagner wrote:

>> I will also limit LUKS keyfile in next version, mistake will cause problems
>> (reading the whole device in locked memory -> OOPS or something like that).
> 
> Indeed. What you could do is have it default to error instead of
> to cut-down and proceed. That would make more sense, since
> cutting it is almost always not going to work.

yup. This is common problem for all supported types, so I will probably
remove per-type limits, and add one maximal keyfile limit configurable
during compile time.

Exceeding this limit will cause fail.

Limiting keyfile read (if needed - like /dev/urandom or when stored
in the beginning of device) should be always possible using --keyfile-size
parameter (or --new-keyfile-size for new keyfile option).

(This commadline limit option should possibly override maximal compiled-in
limit if specified number is larger.)

Is it better approach? 

Milan

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Arno Wagner]

On Tue, Mar 15, 2011 at 01:36:32PM +0100, Milan Broz wrote:
> On 03/15/2011 01:09 PM, Arno Wagner wrote:
> 
> >> I will also limit LUKS keyfile in next version, mistake will cause problems
> >> (reading the whole device in locked memory -> OOPS or something like that).
> > 
> > Indeed. What you could do is have it default to error instead of
> > to cut-down and proceed. That would make more sense, since
> > cutting it is almost always not going to work.
> 
> yup. This is common problem for all supported types, so I will probably
> remove per-type limits, and add one maximal keyfile limit configurable
> during compile time.
> 
> Exceeding this limit will cause fail.
> 
> Limiting keyfile read (if needed - like /dev/urandom or when stored
> in the beginning of device) should be always possible using --keyfile-size
> parameter (or --new-keyfile-size for new keyfile option).
> 
> (This commadline limit option should possibly override maximal compiled-in
> limit if specified number is larger.)
> 
> Is it better approach? 
> 
> Milan


Sounds fine to me, especially if the commandline can override
the compile limit. Then the compile-limit protects everybody
except those that think they know what they are doing. And
those are responsible for their own actions. This would also
remove any need to think about extreme cases in the compile
limit.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Ludwig Nussel]

Milan Broz wrote:
>  * Adds compatible support for loop-AES encryption type in loopaesOpen command.
> 
>    Linux dm-crypt in 2.6.38 and above supports loop-AES compatible mapping
>    (including multi-key and special CBC mode, all three modes are supported).
> 
>    If you have raw loop-AES keyfile (text file with uuencoded per-line keys), you can
>    access loop-AES volume using
>      cryptsetup loopaesOpen <device> <name> [--key-size 128] --key-file <key-file>

Do I gets this right, if multikey is not used loop aes is just
equivalent to aes-cbc-plain? Couldn't the existing 'create' action
be extended to just handle the loop-AES multikey mode as well? Ie no
additional command?

Note the IV produced by 'plain' is 32bit while loop-AES uses 64bit
IIRC. Ie there's an incompatibility for volumes larger than 2TB. So
you probably need to default to 'aes-cbc-plain64'. I guess that's
the reason why you introduced plain64 in the first place. :-)

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Milan Broz]

On 03/17/2011 02:36 PM, Ludwig Nussel wrote:
> Milan Broz wrote:
>>  * Adds compatible support for loop-AES encryption type in loopaesOpen command.
>>
>>    Linux dm-crypt in 2.6.38 and above supports loop-AES compatible mapping
>>    (including multi-key and special CBC mode, all three modes are supported).
>>
>>    If you have raw loop-AES keyfile (text file with uuencoded per-line keys), you can
>>    access loop-AES volume using
>>      cryptsetup loopaesOpen <device> <name> [--key-size 128] --key-file <key-file>
> 
> Do I gets this right, if multikey is not used loop aes is just
> equivalent to aes-cbc-plain? Couldn't the existing 'create' action
> be extended to just handle the loop-AES multikey mode as well? Ie no
> additional command?

There is additional hashing per line for loopAES keyfile and it warns user
if it detects GPG header. (create will simply map device without warning).

Yes, you can probably map this one one key mode using create command as well,
but using separate command allows version to be autodetected according
to number of lines in keyfile.

I do not want to mix these formats together, non-multikey loopAES mode
is not safe anyway and should not be used.

> Note the IV produced by 'plain' is 32bit while loop-AES uses 64bit
> IIRC. Ie there's an incompatibility for volumes larger than 2TB. So
> you probably need to default to 'aes-cbc-plain64'. I guess that's
> the reason why you introduced plain64 in the first place. :-)

Yes, that is just mistake, there should be plain64, thanks.
That's why I do release candidate to catch these things:)

Milan

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Milan Broz]

On 03/14/2011 10:13 PM, Rudolf Deilmann wrote:

> 2) Offset, skip and sizelimit support

> I was able to open such a partition with plain dmsetup; 'cryptsetup
> loopaesOpen' didn't work because '--size','--skip' and '--offset' are
> not supported. Perhaps you could add support for these switches to
> loopaesOpen; the necessary changes in cryptsetup seems trivial.
> ( '--offset' - but not '--skip' - is already mentioned in the manpage
> as a supported option for loopaesOpen )

I added offset support, seems loopAES always uses offset==skip
(IOW initial vector is always related to absolute sector size on the device).

Reading of keyfile from device can be limited by --keyfile-size switch,
but as described elsewhere there is no internal gpg support, so gpg encrypted
key is stored on device itself, you have to process it using gpg first.

I do not plan to add sizelimit option, this can just cause confusion.

(In fact you can do that using cryptsetup resize command afterwards
or by limiting underlying device. If it is problem, please show me
real example where it is needed.)

I'll release another RC soon (also with keyfile limits rewritten).

Thanks,
Milan

[dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc2 (test release candidate)

[Milan Broz]

The second cryptsetup 1.3.0-rc2 release candidate is available at

   http://code.google.com/p/cryptsetup/

Feedback and bug reports are welcomed.

Thanks,
Milan

Cryptsetup 1.3.0 (rc2) Release Notes
====================================

Changes since version 1.3.0-rc1

 * Introduce maximum default keyfile size, add configure option, visible in --help.

   Cryptsetup now fails if read from keyfile exceeds internal limit.
   You can always specify keyfile size (overrides limit) by using --keyfile-size option.

 * Require the whole key read from keyfile in create command (regression in 1.2.0).

 * Fix offset option for loopaesOpen.

 * Lock memory in luksDump command.

Changes since version 1.2.0

Important changes
~~~~~~~~~~~~~~~~~
 * Several userspace crypto backends support

   cryptsetup now supports generic crypto backend interface which allows
   compile package with various crypto libraries, these are already implemented:

   * gcrypt (default, used in previous versions)
   * OpenSSL
   * NSS (because of missing ripemd160 it cannot provide full backward compatibility)
   * kernel userspace API (provided by kernel 2.6.38 and above)
     (Note that kernel userspace backend is very slow for this type of operation.
      But it can be usefull for embedded systems, because you can avoid userspace
      crypto library completely.)

   Backend is selected during configure time, using --with-crypto_backend option.

   configure --with-crypto_backend=BACKEND (gcrypt/openssl/nss/kernel) [gcrypt]

   Note that performance checked (iterations) in LUKS header will cause that
   real iteration time will differ with different backends.
   (There are huge differences in speed between libraries.)

 * Cryptsetup now automatically allocates loopback device (/dev/loop) if device
   argument is file and not plain device.

   This require Linux kernel 2.6.25 and above (which implements loop autoclear flag).

   You can see backing file in cryptsetup status output if underlying device is loopback.

 * Adds luksChangeKey command

    cryptestup luksChangeKey --key-file <old keyfile> <new keyfile> [--key-slot X] 
    cryptestup luksChangeKey [--key-slot X]  (for passphrase change)

   This command allows passphrase/keyfile change in one step. If no key slot is
   specified (and there is still free key slot on device) new slot is allocated before
   the old is purged.

   If --key-slot option is specified (or there is no free slot) command will overwrite
   existing slot.
   WARNING: Be sure you have another slot active or header backup when using explicit
            key slot (so you can unlock the device even after possible media failure).

 * Adds compatible support for loop-AES encryption type in loopaesOpen command.

   Linux dm-crypt in 2.6.38 and above supports loop-AES compatible mapping
   (including multi-key and special CBC mode, all three modes are supported).

   If you have raw loop-AES keyfile (text file with uuencoded per-line keys), you can
   access loop-AES volume using
     cryptsetup loopaesOpen <device> <name> [--key-size 128] --key-file <key-file>

   If you are using GPG encrypted keyfile
     gpg --decrypt <key-file> | cryptsetup loopaesOpen --key-file=- <device> <name>

   Do not forget to specify key size. Other ciphers than AES should work but were
   not tested. Version and hash is automatically detected according to number
   of lines in key file.

   Please note that loopAES dm-crypt mode is provided for compatibility reasons
   (so you do not need to patch kernel and util-linux to map existing volumes)
   but is is not, and never will be, optimized for speed.
   It is experimental feature for now.

 * WARNING: This is the last cryptsetup release which supports library with
            old API (using struct crypt_options).
            These calls are deprecated since 1.1.0 and AFAIK no application
            is using it in recent distros. Removing compatible code will allow
            new features to be implemented easily.

Other changes
~~~~~~~~~~~~~
 * Increase libcryptsetup version (loopAES change), still fully backward compatible.
 * Fixes static build (--disable-static-cryptsetup now works properly).
 * Supports secure data flag for device-mapper iotcl (will be in 2.6.39,
   forcing kernel to wipe all ioctl buffers with possible key data).
   To enable this flag you need new device-mapper library, in LVM2 2.02.84.
 * Add copyright texts into some files and adds GPL exception allowing
   to distribute resulting binaries linked with OpenSSL.
 * Update FAQ.
 * Fix message when locking memory fails.
 * Fix luksAddKey return code if master key is used.
 * Update some text files in distributions.
 * Add docs directory with Release Notes archive.
 * Do not hardcode loopback device name in tests, use internal loopback library.

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Rudolf Deilmann]

On Mon, 21 Mar 2011 19:21:50 +0100
Milan Broz <mbroz@redhat.com> wrote:
> I added offset support, seems loopAES always uses offset==skip
> (IOW initial vector is always related to absolute sector size on the
> device).

No, loopAES supports both options. It depends on user input:

--
-o offset
   The data start is moved offset bytes into the specified file or
   device. Normally offset is included in IV   (initialization
   vector) computations. If offset is prefixed with @ character, then
   offset is not included in IV computations. @ prefix functionality
   may not be supported on some older kernels and/or loop drivers.
--

Both options seems to be supported by dmcrypt/dmsetup. In the first case
IV offset is always identic to the sector offset, in the second case IV
offset is always zero.

(IV offset: 6th value at dmsetup table, sector offset: 8th value. I
hope, I haven't muddle something )

 
> I do not plan to add sizelimit option, this can just cause confusion.
> 
> (In fact you can do that using cryptsetup resize command afterwards
> or by limiting underlying device. If it is problem, please show me
> real example where it is needed.)

Sounds reasonable. It's main usage seems to be recovery if your
partition table is damaged or similar exceptional things happend.

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Milan Broz]

On 03/22/2011 07:47 PM, Rudolf Deilmann wrote:
> On Mon, 21 Mar 2011 19:21:50 +0100
> Milan Broz <mbroz@redhat.com> wrote:
>> I added offset support, seems loopAES always uses offset==skip
>> (IOW initial vector is always related to absolute sector size on the
>> device).
> 
> No, loopAES supports both options. It depends on user input:
> 
> --
> -o offset
>    The data start is moved offset bytes into the specified file or
>    device. Normally offset is included in IV   (initialization
>    vector) computations. If offset is prefixed with @ character, then
>    offset is not included in IV computations. @ prefix functionality
>    may not be supported on some older kernels and/or loop drivers.

I wonder how I missed that. Ok, the we just allow --skip and if
it is not explicitly defined, it will behave as now.
So @offset => --skip 0 --offset $offset/512, right?

I added test for default offset (and verification with losetup passes),
so it is just that @ prefix mode missing now.

> Both options seems to be supported by dmcrypt/dmsetup. In the first case
> IV offset is always identic to the sector offset, in the second case IV
> offset is always zero.

yes, everything is supported, this is just userspace handling.

> (IV offset: 6th value at dmsetup table, sector offset: 8th value. I
> hope, I haven't muddle something )

FYI the documentation is in kernel itself
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob_plain;f=Documentation/device-mapper/dm-crypt.txt;hb=HEAD

Thanks,
Milan

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Rudolf Deilmann]

On Tue, 22 Mar 2011 20:09:56 +0100
Milan Broz <mbroz@redhat.com> wrote:
> I wonder how I missed that. Ok, the we just allow --skip and if
> it is not explicitly defined, it will behave as now.

Yes.
However the current behaviour is that skip is implicitly set to
the same value as offset.
The default behaviour for plain-cryptsetup is that skip is set to
zero, if only offset is specified.
But I don't think this inconistency matters. There are also
inconsistencies in the interface between cryptsetup/plain and
cryptsetup/luks (e.g. order of name and device )

> So @offset => --skip 0 --offset $offset/512, right?

Yes.

Btw, I can't report any problems with other ciphers. Twofish and
serpent seem to work well, too.



cu,
 rudolf

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Milan Broz]

On 03/22/2011 09:44 PM, Rudolf Deilmann wrote:
> On Tue, 22 Mar 2011 20:09:56 +0100
> Milan Broz <mbroz@redhat.com> wrote:
>> I wonder how I missed that. Ok, the we just allow --skip and if
>> it is not explicitly defined, it will behave as now.
> 
> Yes.
> However the current behaviour is that skip is implicitly set to
> the same value as offset.
> The default behaviour for plain-cryptsetup is that skip is set to
> zero, if only offset is specified.
> But I don't think this inconistency matters.

Exactly. That's why I implemented it is as different command.

(But from the libcryptsetup point of view it is just another format,
no new functions, just format specific options.)

> There are also
> inconsistencies in the interface between cryptsetup/plain and
> cryptsetup/luks (e.g. order of name and device )

In fact, I hate these inconsistencies but I cannot switch order
or parameters now. And providing new commadline interface
causes even more problems...

> 
>> So @offset => --skip 0 --offset $offset/512, right?
> 
> Yes.

Code is already in svn, there is one change in library object
(format specific option missed skip option) but we can do that still,
so final 1.3.0 version will have that included.

> Btw, I can't report any problems with other ciphers. Twofish and
> serpent seem to work well, too.

Great.

Thanks again for testing,
Milan

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Rudolf Deilmann]

On Tue, 22 Mar 2011 22:05:06 +0100
Milan Broz <mbroz@redhat.com> wrote:
> Code is already in svn, [...]

Thanks again, Milan.

It looks fine to me. I was able to open old disks with it. And I've
also run a small script that systematically compared the output of
loop-aes and dmcrypt for different settings (cipher, keylength,
keymode, offset/iv computation,...). 

Some features are missing (key size 160 for dmcrypt, and various
losetup-switches (phash,itercountk), but it's unclear, if anyone use
them. ( At least as long as loop-aes is still maintained, it's  IHMO
not necessary to support exotic settings )

cu,
 rudolf

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Milan Broz]

On 03/23/2011 03:14 PM, Rudolf Deilmann wrote:
> On Tue, 22 Mar 2011 22:05:06 +0100

> Some features are missing (key size 160 for dmcrypt, and various
> losetup-switches (phash,itercountk), but it's unclear, if anyone use
> them. ( At least as long as loop-aes is still maintained, it's  IHMO
> not necessary to support exotic settings )

yes, it is expected. I can implement it if anyone uses it but I doubt
it is worth it. This is really not targeted as replacement but compatible
mode to open existing devices.

BTW key size 160 bits? strange size. for which cipher?
Probably kernel cryptoAPI module limitation, there should be no limit in dmcrypt.

Milan

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Rudolf Deilmann]

Am Wed, 23 Mar 2011 15:37:48 +0100
schrieb Milan Broz <mbroz@redhat.com>:

> BTW key size 160 bits? strange size. for which cipher?
> Probably kernel cryptoAPI module limitation, there should be no limit
> in dmcrypt.

it's mentioned for twofish and blowfish in my manpage of losetup
(losetup/loop-aes  accepts even other key lengths. I don't know,
if this behaviour is intentend or make sense at all )

http://loop-aes.sourceforge.net/ciphers.README mentions twofish160 only.
According to this document, it's necessary for compatibility with suse
8.1 encryption ( together with other unusal and insecure settings).

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 (test release candidate)

[Milan Broz]

On 03/23/2011 05:00 PM, Rudolf Deilmann wrote:
> Am Wed, 23 Mar 2011 15:37:48 +0100
> schrieb Milan Broz <mbroz@redhat.com>:
> 
>> BTW key size 160 bits? strange size. for which cipher?
>> Probably kernel cryptoAPI module limitation, there should be no limit
>> in dmcrypt.
> 
> it's mentioned for twofish and blowfish in my manpage of losetup
> (losetup/loop-aes  accepts even other key lengths. I don't know,
> if this behaviour is intentend or make sense at all )

ok, just quickly reading twofish cryptoAPI implementation in kernel,
it seems to not support 160bit (just 128, 192, 256).
so neither cryptsetup nor dmcrypt problem.

Milan

[dm-crypt] [ANNOUNCE] cryptsetup 1.3.0

[Milan Broz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The stable cryptsetup 1.3.0 release is available at

   http://code.google.com/p/cryptsetup/

Feedback and bug reports are welcomed.

Milan

Cryptsetup 1.3.0 Release Notes
==============================

Changes since version 1.2.0

Important changes
~~~~~~~~~~~~~~~~~
 * Several userspace crypto backends support

   cryptsetup now supports generic crypto backend interface which allows
   compile package with various crypto libraries, these are already implemented:

   * gcrypt (default, used in previous versions)
   * OpenSSL
   * NSS (because of missing ripemd160 it cannot provide full backward compatibility)
   * kernel userspace API (provided by kernel 2.6.38 and above)
     (Note that kernel userspace backend is very slow for this type of operation.
      But it can be usefull for embedded systems, because you can avoid userspace
      crypto library completely.)

   Backend is selected during configure time, using --with-crypto_backend option.

   configure --with-crypto_backend=BACKEND (gcrypt/openssl/nss/kernel) [gcrypt]

   Note that performance checked (iterations) in LUKS header will cause that
   real iteration time will differ with different backends.
   (There are huge differences in speed between libraries.)

 * Cryptsetup now automatically allocates loopback device (/dev/loop) if device
   argument is file and not plain device.

   This require Linux kernel 2.6.25 and above (which implements loop autoclear flag).

   You can see backing file in cryptsetup status output if underlying device is loopback.

 * Introduce maximum default keyfile size, add configure option, visible in --help.

   Cryptsetup now fails if read from keyfile exceeds internal limit.
   You can always specify keyfile size (overrides limit) by using --keyfile-size option.

 * Adds luksChangeKey command

    cryptestup luksChangeKey --key-file <old keyfile> <new keyfile> [--key-slot X]
    cryptestup luksChangeKey [--key-slot X]  (for passphrase change)

   This command allows passphrase/keyfile change in one step. If no key slot is
   specified (and there is still free key slot on device) new slot is allocated before
   the old is purged.

   If --key-slot option is specified (or there is no free slot) command will overwrite
   existing slot.
   WARNING: Be sure you have another slot active or header backup when using explicit
            key slot (so you can unlock the device even after possible media failure).

 * Adds compatible support for loop-AES encryption type in loopaesOpen command.

   Linux dm-crypt in 2.6.38 and above supports loop-AES compatible mapping
   (including multi-key and special CBC mode, all three modes are supported).

   If you have raw loop-AES keyfile (text file with uuencoded per-line keys), you can
   access loop-AES volume using
     cryptsetup loopaesOpen <device> <name> [--key-size 128] --key-file <key-file>

   If you are using GPG encrypted keyfile
     gpg --decrypt <key-file> | cryptsetup loopaesOpen --key-file=- <device> <name>

   Do not forget to specify key size. Version and hash is automatically detected
   according to number of lines in key file. For special configuration you can
   override IV sector offset using --skip option, device offset with --offset
   and hash algorithm using --hash, see man page for details.

   Please note that loopAES dm-crypt mode is provided for compatibility reasons
   (so you do not need to patch kernel and util-linux to map existing volumes)
   but it is not, and never will be, optimized for speed.
   It is experimental feature for now.

 * Require the whole key read from keyfile in create command (regression in 1.2.0).

 * WARNING: This is the last cryptsetup release which supports library with
            old API (using struct crypt_options).
            These calls are deprecated since 1.1.0 and AFAIK no application
            is using it in recent distros. Removing compatible code will allow
            new features to be implemented easily.

Other changes
~~~~~~~~~~~~~
 * Lock memory also in luksDump command.
 * Fix return code when passphrase is read from pipe.
 * Increase libcryptsetup version (loopAES change), still fully backward compatible.
 * Fixes static build (--disable-static-cryptsetup now works properly).
 * Supports secure data flag for device-mapper ioctl (will be in 2.6.39,
   forcing kernel to wipe all ioctl buffers with possible key data).
   To enable this flag you need new device-mapper library, in LVM2 2.02.84.
 * Add copyright texts into some files and adds GPL exception allowing
   to distribute resulting binaries linked with OpenSSL.
 * Update FAQ.
 * Fix message when locking memory fails.
 * Fix luksAddKey return code if master key is used.
 * Update some text files in distributions.
 * Add docs directory with Release Notes archive.
 * Do not hardcode loopback device name in tests, use internal loopback library.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk2bdVYACgkQf1Jlc7shgi+0kACfWl6r6PW4drgs+gg/Dp2LJswF
ov4An1xyiyv2fXBXXsyyTAhF47dGFr41
=wjM/
-----END PGP SIGNATURE-----

[ANNOUNCE] cryptsetup 1.3.0

[Milan Broz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The stable cryptsetup 1.3.0 release is available at

   http://code.google.com/p/cryptsetup/

Feedback and bug reports are welcomed.

Milan

Cryptsetup 1.3.0 Release Notes
==============================

Changes since version 1.2.0

Important changes
~~~~~~~~~~~~~~~~~
 * Several userspace crypto backends support

   cryptsetup now supports generic crypto backend interface which allows
   compile package with various crypto libraries, these are already implemented:

   * gcrypt (default, used in previous versions)
   * OpenSSL
   * NSS (because of missing ripemd160 it cannot provide full backward compatibility)
   * kernel userspace API (provided by kernel 2.6.38 and above)
     (Note that kernel userspace backend is very slow for this type of operation.
      But it can be usefull for embedded systems, because you can avoid userspace
      crypto library completely.)

   Backend is selected during configure time, using --with-crypto_backend option.

   configure --with-crypto_backend=BACKEND (gcrypt/openssl/nss/kernel) [gcrypt]

   Note that performance checked (iterations) in LUKS header will cause that
   real iteration time will differ with different backends.
   (There are huge differences in speed between libraries.)

 * Cryptsetup now automatically allocates loopback device (/dev/loop) if device
   argument is file and not plain device.

   This require Linux kernel 2.6.25 and above (which implements loop autoclear flag).

   You can see backing file in cryptsetup status output if underlying device is loopback.

 * Introduce maximum default keyfile size, add configure option, visible in --help.

   Cryptsetup now fails if read from keyfile exceeds internal limit.
   You can always specify keyfile size (overrides limit) by using --keyfile-size option.

 * Adds luksChangeKey command

    cryptestup luksChangeKey --key-file <old keyfile> <new keyfile> [--key-slot X]
    cryptestup luksChangeKey [--key-slot X]  (for passphrase change)

   This command allows passphrase/keyfile change in one step. If no key slot is
   specified (and there is still free key slot on device) new slot is allocated before
   the old is purged.

   If --key-slot option is specified (or there is no free slot) command will overwrite
   existing slot.
   WARNING: Be sure you have another slot active or header backup when using explicit
            key slot (so you can unlock the device even after possible media failure).

 * Adds compatible support for loop-AES encryption type in loopaesOpen command.

   Linux dm-crypt in 2.6.38 and above supports loop-AES compatible mapping
   (including multi-key and special CBC mode, all three modes are supported).

   If you have raw loop-AES keyfile (text file with uuencoded per-line keys), you can
   access loop-AES volume using
     cryptsetup loopaesOpen <device> <name> [--key-size 128] --key-file <key-file>

   If you are using GPG encrypted keyfile
     gpg --decrypt <key-file> | cryptsetup loopaesOpen --key-file=- <device> <name>

   Do not forget to specify key size. Version and hash is automatically detected
   according to number of lines in key file. For special configuration you can
   override IV sector offset using --skip option, device offset with --offset
   and hash algorithm using --hash, see man page for details.

   Please note that loopAES dm-crypt mode is provided for compatibility reasons
   (so you do not need to patch kernel and util-linux to map existing volumes)
   but it is not, and never will be, optimized for speed.
   It is experimental feature for now.

 * Require the whole key read from keyfile in create command (regression in 1.2.0).

 * WARNING: This is the last cryptsetup release which supports library with
            old API (using struct crypt_options).
            These calls are deprecated since 1.1.0 and AFAIK no application
            is using it in recent distros. Removing compatible code will allow
            new features to be implemented easily.

Other changes
~~~~~~~~~~~~~
 * Lock memory also in luksDump command.
 * Fix return code when passphrase is read from pipe.
 * Increase libcryptsetup version (loopAES change), still fully backward compatible.
 * Fixes static build (--disable-static-cryptsetup now works properly).
 * Supports secure data flag for device-mapper ioctl (will be in 2.6.39,
   forcing kernel to wipe all ioctl buffers with possible key data).
   To enable this flag you need new device-mapper library, in LVM2 2.02.84.
 * Add copyright texts into some files and adds GPL exception allowing
   to distribute resulting binaries linked with OpenSSL.
 * Update FAQ.
 * Fix message when locking memory fails.
 * Fix luksAddKey return code if master key is used.
 * Update some text files in distributions.
 * Add docs directory with Release Notes archive.
 * Do not hardcode loopback device name in tests, use internal loopback library.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk2bdVYACgkQf1Jlc7shgi+0kACfWl6r6PW4drgs+gg/Dp2LJswF
ov4An1xyiyv2fXBXXsyyTAhF47dGFr41
=wjM/
-----END PGP SIGNATURE-----
_______________________________________________
dm-crypt mailing list
dm-crypt-4q3lyFh4P1g@public.gmane.org
http://www.saout.de/mailman/listinfo/dm-crypt

Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.3.0-rc1 ( test release candidate)

[Ludwig Nussel]

Rudolf Deilmann wrote:
> Am Wed, 23 Mar 2011 15:37:48 +0100
> schrieb Milan Broz <mbroz@redhat.com>:
> 
> > BTW key size 160 bits? strange size. for which cipher?
> > Probably kernel cryptoAPI module limitation, there should be no limit
> > in dmcrypt.
> 
> it's mentioned for twofish and blowfish in my manpage of losetup
> (losetup/loop-aes  accepts even other key lengths. I don't know,
> if this behaviour is intentend or make sense at all )
> 
> http://loop-aes.sourceforge.net/ciphers.README mentions twofish160 only.
> According to this document, it's necessary for compatibility with suse
> 8.1 encryption ( together with other unusal and insecure settings).

Cryptsetup does support the odd format of those old images. The key
length for those images actually isn't 160 bits but 192 though. The
missing bits of the 160 bit ripemd160 output were padded with zeros.
The needed options for cryptsetup are
--cipher twofish-cbc-null -s 192 -h ripemd160:20

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

[dm-crypt] [ANNOUNCE] cryptsetup 1.3.1

[Milan Broz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The stable cryptsetup 1.3.1 release is available at

   http://code.google.com/p/cryptsetup/

Feedback and bug reports are welcomed.

Milan

Cryptsetup 1.3.1 Release Notes
==============================

Changes since version 1.3.0

 * Fix keyfile=- processing in create command (regression in 1.3.0).

 * Simplify device path status check (use /sys and do not scan /dev).

 * Do not ignore device size argument for create command (regression in 1.2.0).

 * Fix error paths in blockwise code and lseek_write call.

 * Add optional Nettle crypto backend support.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk3b01oACgkQf1Jlc7shgi839wCdGoDzkhAT3C9M72Q4DppuC8Gv
xLQAniLnce06wzw7iwOLtvlpjPwOoaFZ
=YAom
-----END PGP SIGNATURE-----