[dm-crypt] question

[dm-crypt] question

[Guy Rachmuth]

[-- Attachment #1: Type: text/plain, Size: 240 bytes --]

Hello,

We are considering using you for our service.  Would you consider this
product HIPAA compliant with respect to the strength of the encryption?

Best,
Guy

-- 
Guy Rachmuth Ph.D.
President and CEO
HEALTHeME Inc.
877-704-1818 ext 105

[-- Attachment #2: Type: text/html, Size: 344 bytes --]

Re: [dm-crypt] question

[Arno Wagner]

As you cannot really get stronger encryption, it should
be. Also, you can change the defaults, if you need to.

Do you have a reference to the current HIPAA requirements?

Arno



On Thu, May 26, 2011 at 04:17:28PM -0400, Guy Rachmuth wrote:
> Hello,
> 
> We are considering using you for our service.  Would you consider this
> product HIPAA compliant with respect to the strength of the encryption?
> 
> Best,
> Guy
> 
> -- 
> Guy Rachmuth Ph.D.
> President and CEO
> HEALTHeME Inc.
> 877-704-1818 ext 105

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

[dm-crypt] question

[Sayler, Craig A. (AFRC-MI)[InuTeq, LLC]]

[-- Attachment #1: Type: text/plain, Size: 79 bytes --]

Is there a way to decrypt a drive permanently with out reinstalling?

Craig

[-- Attachment #2: Type: text/html, Size: 610 bytes --]

Re: [dm-crypt] question

[Matthias Schniedermeyer]

On 11.12.2014 18:30, Sayler, Craig A. (AFRC-MI)[InuTeq, LLC] wrote:
> Is there a way to decrypt a drive permanently with out reinstalling?

Yes.

But the much safer way is:
Backup, make a new filesystem on the previous backing-device & Restore 
from backup.


The unsafe(!) 'inplace' method (that as an advantage doesn't need 
additional storage):
Just open the container normally, 'dd' the mapped container over the 
backing device and pray that process isn't interruped. Because it will 
be a huge PITA if it gets interruped.


But don't risk it, Backup & Restore is the way this should be done.




-- 

Matthias

Re: [dm-crypt] question

[Sayler, Craig A. (AFRC-MI)[InuTeq, LLC]]

Ok Thank you of the response! No I have a system that someone removed the
key and there is no key left, is there a way to get in and get the data?




On 12/11/14 2:04 PM, "Matthias Schniedermeyer" <ms@citd.de> wrote:

>On 11.12.2014 18:30, Sayler, Craig A. (AFRC-MI)[InuTeq, LLC] wrote:
>> Is there a way to decrypt a drive permanently with out reinstalling?
>
>Yes.
>
>But the much safer way is:
>Backup, make a new filesystem on the previous backing-device & Restore
>from backup.
>
>
>The unsafe(!) 'inplace' method (that as an advantage doesn't need
>additional storage):
>Just open the container normally, 'dd' the mapped container over the
>backing device and pray that process isn't interruped. Because it will
>be a huge PITA if it gets interruped.
>
>
>But don't risk it, Backup & Restore is the way this should be done.
>
>
>
>
>-- 
>
>Matthias

Re: [dm-crypt] question

[Matthias Schniedermeyer]

On 11.12.2014 22:07, Sayler, Craig A. (AFRC-MI)[InuTeq, LLC] wrote:
> Ok Thank you of the response! No I have a system that someone removed the
> key and there is no key left, is there a way to get in and get the data?

If it is still open you can copy it (or backup it).

If not and you don't have a header-backup i'm afraid that container is 
unrecoverable.

> On 12/11/14 2:04 PM, "Matthias Schniedermeyer" <ms@citd.de> wrote:
> 
> >On 11.12.2014 18:30, Sayler, Craig A. (AFRC-MI)[InuTeq, LLC] wrote:
> >> Is there a way to decrypt a drive permanently with out reinstalling?
> >
> >Yes.
> >
> >But the much safer way is:
> >Backup, make a new filesystem on the previous backing-device & Restore
> >from backup.
> >
> >
> >The unsafe(!) 'inplace' method (that as an advantage doesn't need
> >additional storage):
> >Just open the container normally, 'dd' the mapped container over the
> >backing device and pray that process isn't interruped. Because it will
> >be a huge PITA if it gets interruped.
> >
> >
> >But don't risk it, Backup & Restore is the way this should be done.
> >
> >
> >
> >
> >-- 
> >
> >Matthias
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 

Matthias

Re: [dm-crypt] question

[Arno Wagner]

On Thu, Dec 11, 2014 at 23:04:53 CET, Matthias Schniedermeyer wrote:
> On 11.12.2014 18:30, Sayler, Craig A. (AFRC-MI)[InuTeq, LLC] wrote:
> > Is there a way to decrypt a drive permanently with out reinstalling?
> 
> Yes.
> 
> But the much safer way is:
> Backup, make a new filesystem on the previous backing-device & Restore 
> from backup.
> 
> 
> The unsafe(!) 'inplace' method (that as an advantage doesn't need 
> additional storage):
> Just open the container normally, 'dd' the mapped container over the 
> backing device and pray that process isn't interruped. Because it will 
> be a huge PITA if it gets interruped.
> 
> 
> But don't risk it, Backup & Restore is the way this should be done.

Interesting approach! Should work though. But you are right that this
is very high risk.

Arno

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: [dm-crypt] question

[Arno Wagner]

On Thu, Dec 11, 2014 at 23:07:02 CET, Sayler, Craig A. (AFRC-MI)[InuTeq, LLC] wrote:
> Ok Thank you of the response! No I have a system that someone removed the
> key and there is no key left, is there a way to get in and get the data?

No, and that is by design. After all "no key" cannot be entered
correctly, hence the LUKS container default to secure behavior.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: [dm-crypt] question

[Matthias Schniedermeyer]

On 12.12.2014 13:11, Arno Wagner wrote:
> On Thu, Dec 11, 2014 at 23:04:53 CET, Matthias Schniedermeyer wrote:
> > On 11.12.2014 18:30, Sayler, Craig A. (AFRC-MI)[InuTeq, LLC] wrote:
> > > Is there a way to decrypt a drive permanently with out reinstalling?
> > 
> > Yes.
> > 
> > But the much safer way is:
> > Backup, make a new filesystem on the previous backing-device & Restore 
> > from backup.
> > 
> > 
> > The unsafe(!) 'inplace' method (that as an advantage doesn't need 
> > additional storage):
> > Just open the container normally, 'dd' the mapped container over the 
> > backing device and pray that process isn't interruped. Because it will 
> > be a huge PITA if it gets interruped.
> > 
> > 
> > But don't risk it, Backup & Restore is the way this should be done.
> 
> Interesting approach! Should work though. But you are right that this
> is very high risk.

Standard Unix methodology, i would say.

I did something similar, in reverse (unencrypred -> encrypted), some 
years ago.
Altough i wrote me a script that did the work in steps, so i could 
resume it if it ever got interrupted. (Better safe than sorry. In the 
end it wasn't interupted. But that's Murphy's Law: If you are prepared, 
nothing will happen.)

The script did something like this:

for each block
do
  copy source to other stable storage
  fsync
  update state information
  fsync
  copy block from other stable storage to target
  fsync
  update state information
  fsync
done

The detour is necessary to recover from a partial copy in the last step, 
otherwise you would need to determine the exact spot (and hope the HDD 
didn't do a partial sector write) to restart the process.





-- 

Matthias

Re: [dm-crypt] question

[Arno Wagner]

On Fri, Dec 12, 2014 at 13:59:10 CET, Matthias Schniedermeyer wrote:
> On 12.12.2014 13:11, Arno Wagner wrote:
> > On Thu, Dec 11, 2014 at 23:04:53 CET, Matthias Schniedermeyer wrote:
> > > On 11.12.2014 18:30, Sayler, Craig A. (AFRC-MI)[InuTeq, LLC] wrote:
> > > > Is there a way to decrypt a drive permanently with out reinstalling?
> > > 
> > > Yes.
> > > 
> > > But the much safer way is:
> > > Backup, make a new filesystem on the previous backing-device & Restore 
> > > from backup.
> > > 
> > > 
> > > The unsafe(!) 'inplace' method (that as an advantage doesn't need 
> > > additional storage):
> > > Just open the container normally, 'dd' the mapped container over the 
> > > backing device and pray that process isn't interruped. Because it will 
> > > be a huge PITA if it gets interruped.
> > > 
> > > 
> > > But don't risk it, Backup & Restore is the way this should be done.
> > 
> > Interesting approach! Should work though. But you are right that this
> > is very high risk.
> 
> Standard Unix methodology, i would say.

Not really, as you are accessing the same block device once 
directly and once through the dm-layer encryption at the same
time. Things like buffers become critical. For example, if any
buffer for a change of the original state is flushed with 
a delay, things can get very messy and very broken. But if
the thing is not mounted, there should not be any longer-lived 
buffers and hence it should work.

Gr"usse,
Arno

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: [dm-crypt] question

[Milan Broz]

On 12/11/2014 11:04 PM, Matthias Schniedermeyer wrote:
> 
> The unsafe(!) 'inplace' method (that as an advantage doesn't need 
> additional storage):
> Just open the container normally, 'dd' the mapped container over the 
> backing device and pray that process isn't interruped. Because it will 
> be a huge PITA if it gets interruped.

Just FYI...

I wonder why I did not add this option "permanently decrypt" to cryptsetup-reencrypt.

Reencrypt tool uses similar approach to dd just it can be safely interrupted
and restarted.

Added enhancement issue for it
https://code.google.com/p/cryptsetup/issues/detail?id=236

Milan

Re: [dm-crypt] question

[Arno Wagner]

On Sun, Dec 14, 2014 at 19:15:57 CET, Milan Broz wrote:
> On 12/11/2014 11:04 PM, Matthias Schniedermeyer wrote:
> > 
> > The unsafe(!) 'inplace' method (that as an advantage doesn't need 
> > additional storage):
> > Just open the container normally, 'dd' the mapped container over the 
> > backing device and pray that process isn't interruped. Because it will 
> > be a huge PITA if it gets interruped.
> 
> Just FYI...
> 
> I wonder why I did not add this option "permanently decrypt" to
> cryptsetup-reencrypt.

This was likely just too obvious. Oversights like that happen to
me too. 
 
> Reencrypt tool uses similar approach to dd just it can be safely 
> interrupted and restarted.

Difference here would be that overwriting the header area
would need to be done last and data needs to be shifted 
forward by the data-offset. Having a header-sized unused 
area at the end should be non-critical.

> Added enhancement issue for it
> https://code.google.com/p/cryptsetup/issues/detail?id=236

Excellent.

Arno


> Milan
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier