Re: [dm-crypt] Truecrypt system partition support

[Jan Janssen <medhefgo@web.de>]

[-- Attachment #1: Type: text/plain, Size: 2738 bytes --]

On 06/24/2013 07:48 AM, Milan Broz wrote:
> Hm, seems like completely different problem.
> I cannot check whats going on without more information here, ideally
> - cryptsetup output with --debug switch
> - tcryptDump (mainly offsets and data sizes stored there)
> - exact sizes of partitions (fdils -l -u, blockdev --getsz /dev/sda* or so)
>
> (but please note it will provide some info which is hidden, do not send it
> if it is problem :-)

Hi,

here's the info. The open log is attached.

TCRYPT header information for /dev/sda
Version:        5
Driver req.:    7
Sector size:    512
MK offset:      106928640
PBKDF2 hash:    ripemd160
Cipher chain:   aes
Cipher mode:    xts-plain64
MK bits:        512

# for i in /dev/sda*; do echo -n "$i: "; sudo blockdev --getsz $i; done
/dev/sda: 120103200
/dev/sda1: 208782
/dev/sda2: 62701695
/dev/sda3: 57192660

# fdisk -l -u
Disk /dev/sda: 61.5 GB, 61492838400 bytes, 120103200 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000bfd29

    Device Boot      Start         End      Blocks   Id  System
/dev/sda1              63      208844      104391   83  Linux
/dev/sda2   *      208845    62910539    31350847+   7  HPFS/NTFS/exFAT
/dev/sda3        62910540   120103199    28596330   83  Linux

> Ideally I would like to reproduce it, for my encrypted VM on partition
> it works.
> How did you create this config? ANy manipulations with apartitions after
> system reencryption?

I did nothing peculiar to the system. Created the layout with gparted. I
did install grub2, but it also didn't work the truecrypt bootloader.

>>
>> Also, something's off about the --key-file option with tcrypt. I can't
>> get it to accept my password from the file. But if I pipe it with cat
>> to stdin it works. Maybe it's supposed to be this way, but then I think
>> it needs extra mention in the manpage. And maybe there should be a way
>> to provide a --passphrase-file option or something along those lines
>> if the current handling is different to how its handled for luks.
>
> So you are not using Truecrypt keyfile but just passphrase in file,
> so pipe is the correct way. I thought it is explained in man page
> but if not, it need some care. If you have some idea how to describe
> it betrer, just send me a patch.
> (And adding more otpion will cause even more chaos here :)

After re-reading it's a little clearer now. I still miss a way to
supply the passphrase in a file without resorting to piping it to stdin.
It's not an issue for luks since it allows passphrases and keyfiles
together, but truecrypt doesn't allow keyfiles in system mode.

Jan

[-- Attachment #2: tcrypt-open.log --]
[-- Type: text/x-log, Size: 3750 bytes --]

# cryptsetup 1.6.2-git processing "cryptsetup --debug --tcrypt-system tcryptOpen /dev/sda windows"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device /dev/sda context.
# Trying to open and read device /dev/sda.
# Initialising device-mapper backend library.
# STDIN descriptor passphrase entry requested.
# Trying to load TCRYPT crypt type from device /dev/sda.
# Crypto backend (gcrypt 1.5.2) initialized.
# Reading TCRYPT header of size 512 bytes from device /dev/sda.
# TCRYPT: trying KDF: pbkdf2-ripemd160-2000.
# TCRYPT:  trying cipher aes-xts-plain64
# TCRYPT:  trying cipher serpent-xts-plain64
# TCRYPT:  trying cipher twofish-xts-plain64
# TCRYPT:  trying cipher twofish-aes-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-aes-xts-plain64
# TCRYPT:  trying cipher aes-serpent-xts-plain64
# TCRYPT:  trying cipher aes-twofish-serpent-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-xts-plain64
# TCRYPT:  trying cipher aes-lrw-benbi
# TCRYPT:  trying cipher serpent-lrw-benbi
# TCRYPT:  trying cipher twofish-lrw-benbi
# TCRYPT:  trying cipher twofish-aes-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-aes-lrw-benbi
# TCRYPT:  trying cipher aes-serpent-lrw-benbi
# TCRYPT:  trying cipher aes-twofish-serpent-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-lrw-benbi
# TCRYPT:  trying cipher aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-cbc-tcrypt
# TCRYPT:  trying cipher twofish-cbc-tcrypt
# TCRYPT:  trying cipher twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher aes-serpent-cbci-tcrypt
# TCRYPT:  trying cipher aes-twofish-serpent-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-cbci-tcrypt
# TCRYPT:  trying cipher cast5-cbc-tcrypt
# TCRYPT:  trying cipher des3_ede-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-blowfish_le-aes-cbc-tcrypt
# TCRYPT: trying KDF: pbkdf2-ripemd160-1000.
# TCRYPT:  trying cipher aes-xts-plain64
# TCRYPT: Signature magic detected.
# TCRYPT: Header version: 5, req. 7, sector 512, mk_offset 106928640, hidden_size 0, volume size 32103267840
# TCRYPT: Header cipher aes-xts-plain64, key size 64
# Activating volume windows by volume key.
# dm version   OF   [16384] (*1)
# dm versions   OF   [16384] (*1)
# Detected dm-crypt version 1.12.1, dm-ioctl version 4.24.0.
# Device-mapper backend running with UDEV support enabled.
# dm status windows  OF   [16384] (*1)
# Calculated device size is 62701695 sectors (RW), offset 208845.
# Trying to activate TCRYPT device windows using cipher aes-xts-plain64.
# DM-UUID is CRYPT-TCRYPT-windows
# Udev cookie 0xd4df074 (semid 294912) created
# Udev cookie 0xd4df074 (semid 294912) incremented to 1
# Udev cookie 0xd4df074 (semid 294912) incremented to 2
# Udev cookie 0xd4df074 (semid 294912) assigned to CREATE task(0) with flags (0x0)
# dm create windows CRYPT-TCRYPT-windows OF   [16384] (*1)
# dm reload windows  OFW    [16384] (*1)
device-mapper: reload ioctl on  failed: Invalid argument
# Udev cookie 0xd4df074 (semid 294912) decremented to 1
# Udev cookie 0xd4df074 (semid 294912) incremented to 2
# Udev cookie 0xd4df074 (semid 294912) assigned to REMOVE task(2) with flags (0x0)
# dm remove windows  OFW    [16384] (*1)
# windows: Stacking NODE_DEL [verify_udev]
# Udev cookie 0xd4df074 (semid 294912) decremented to 1
# Udev cookie 0xd4df074 (semid 294912) waiting for zero
# Udev cookie 0xd4df074 (semid 294912) destroyed
# windows: Processing NODE_DEL [verify_udev]
# Releasing crypt device /dev/sda context.
# Releasing device-mapper backend.
# Unlocking memory.
Command successful.