[dm-crypt] Questions about new ciphers

Milan Broz gmazyland at gmail.com
Sun Jan 14 19:52:03 CET 2018


On 01/14/2018 07:36 PM, Geo Kozey wrote:
> Thanks for the answers!
> 
>> ----------------------------------------
>> From: Milan Broz <gmazyland at gmail.com>
>>
>> IOW: unlocking (luksOpen) will always map the device, only the later access to device
>> could fail with integrity error (that is propagated to userspace as IO error).
>>
>> You can overwrite such a failed sectors using direct-io write to fix auth tags then.
>>
> 
> Can you give me example tools/commands which I can use to fix this?

Basically dd with proper parameters (skip, seek) and oflag=direct should work.

(The direct-io is needed to avoid page-cache reads. If the IO is aligned to page,
it should probably work with normal write but direct-io works always, just
it must be aligned to undrelying device sector sizes.)

I have also trivial tool that tries to read device per sectors and if it detects
IO error it tries wipe to "fix" it. (This was used for development.)
Wiping code is already integrated to cryptsetup, the selective sector repair will probably
need to be added to LUKS repair command later.
(Source is here https://github.com/mbroz/dm_int_tools )

And if you are using dm-integrity device with integritysetup tool (no encryption,
just integrity checksums), you can actually use --integrity-recovery-mode option
that will ignore checksums and allows you access data directly.
(But this is not possible with LUKS2 and authenticated encryption.)

m.


More information about the dm-crypt mailing list