From: Milan Broz <gmazyland@gmail.com>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Non-standard cipher mode
Date: Wed, 18 Dec 2013 18:15:50 +0100 [thread overview]
Message-ID: <52B1D846.4090109@gmail.com> (raw)
In-Reply-To: <20131218161328.GA12245@tansi.org>
On 12/18/2013 05:13 PM, Arno Wagner wrote:
> DO NOT EDIT THE HEADER. This will make your LUKS container
> inaccessible until you reverse the changes. What you now
> have is an aes-xts-plain64:sha512 container. You do not have
> ESSIV anywhere in there, XTS is an alternative to CBC-ESSIV.
>
> That said, if you want aother cipher or mode, easiest way is
> to re-create the container. A bit harder and risky without
> backup is to use Milan's reencryption tool.
Well, I fully agree.. but this case is kind of special.
The dmcrypt plain64 IV doesn't take additional arguments
(kernel should probably not allow to use them and not silently
ignore it...) so plain64 is exactly the same as plain64:sha512.
So properly editing header should help, but you have to be very
careful. (Use backup file, allow write access to it and edit
in some good hexa editor and restore it). Eveb one bit mistake
in keyslot area and your data are gone...
Really, if you can recreate whole device it could be better.
(Reecryption using cryptsetup-reencrypt is an option as well,
but it will take long time.)
Milan
>
> Arno
>
> On Wed, Dec 18, 2013 at 12:45:39 CET, FLD wrote:
>> I accidentally created a luks container using option --cipher
>> aes-xts-plain64:sha512. Everything seems to be working correctly and
>> luksDump shows: "Cipher mode: xts-plain64:sha512". I wonder if I
>> should hexedit the header manually and replace the ":sha512" part with
>> nulls since the proper format would be just "xts-plain64" since the
>> cipher does not need a hash for the ESSIV?
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>
prev parent reply other threads:[~2013-12-18 17:15 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-18 11:45 [dm-crypt] Non-standard cipher mode FLD
2013-12-18 16:13 ` Arno Wagner
2013-12-18 17:15 ` Milan Broz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52B1D846.4090109@gmail.com \
--to=gmazyland@gmail.com \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox