Thu 09 of Sep, 2010 [12:57 UTC]  
Menu
 Home
 Contact us
 Stats
[-] Wiki [+]
 Wiki Home
 Last Changes
 Dump
 Rankings
 List pages
 Orphan pages
 Sandbox
 Print
[-] Articles [+]
 Articles home
 List articles
 Rankings
 Submit article
 View submissions
[-] File Galleries [+]
 List galleries
 Rankings
[-] FAQs [+]
 List FAQs

MigrationToDm-crypt

 edit print PDF
Português Brasileiro

Migration from cryptoloop and compatibility


The on-disk layouts used by the current 2.6 cryptoloop are supported by dm-crypt.
Cryptoloop also uses cryptoapi so the name of the ciphers are the same. Cryptoloop also supports ECB and CBC mode. Use <cipher>-ecb and <cipher>-plain accordingly with dm-crypt. If you didn't explicitly specify either -ecb or -cbc before you don't need it now, the default plain IV generation will be used. There will be additional (incompatible, but more secure) possibilities in the future because the unhashed sector number as IV is too predictable.

You'll need to figure out how your passphrase was turned into a key to use for losetup. There are several patches floating around doing things differently. But usually cryptsetup will provide a working solution to recreate the same key from your passphrase.

If you want to migrate from 2.4 cryptoloop please take a look at
Clemens Fruhwirth's Cryptoloop Migration Guide. He describes the differences between 2.4 and 2.6 cryptoapi (or basically the bugs in 2.4 cryptoapi...). If you need to cut the key size you can use the -s option instead of playing with dd. (BTW: Clemens has a i586 optimised version of the aes and serpent cipher on his page, about twice as fast as the kernel implementation.)

Clemens Fruhwirth has written lo-tracker which he writes the following about:
lo-tracker is a tool to extract raw key material from losetup. It does that by directly intercepting the ioctl calls dispatched to any file descriptor. It's purpose is to ease the migration to dm-crypt.

If anyone tries this tool, please update this page with your experiences.

One example

The machine I used for this test was running Gentoo Linux with a 2.6.9 kernel. This is how I used to mount the encrypted filesystem:
berbara root # losetup -e twofish-256 /dev/loop2 /root/encryptedfs
Password:
berbara root # fsck.ext3 /dev/loop2
e2fsck 1.35 (28-Feb-2004)
/dev/loop2: clean, 79058/1048576 files, 1768644/2097152 blocks


And this is how the I now mount the filesystem with dm-crypt and cryptsetup:
berbara root # losetup /dev/loop3 /root/encryptedfs
berbara root # cryptsetup -c twofish -s 256 -h plain create cryptedfs /dev/loop3
Enter passphrase:
berbara root # fsck.ext3 -f /dev/mapper/cryptedfs
e2fsck 1.35 (28-Feb-2004)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/mapper/cryptedfs: 79058/1048576 files (6.0% non-contiguous), 1768644/2097152 blocks


Cryptsetup version 0.1 does not support mounting files directly so we need to use the kernels loopback support with losetup. The next release of cryptsetup will support a setup like this:
berbara root # cryptsetup -c twofish -s 256 -h plain create cryptedfs /root/encryptedfs


Created by: alex last modification: Thursday 05 of August, 2010 [12:42:44 UTC] by Anonymous

edit
rename
history
similar
undo
slides
1 comment
attach file
translation

Posted messages

Top Hide all
author message
cryptoloop with multi-keys
on: Tue 15 of Mar, 2005 [14:47 UTC] score: 0.00
I can not see any support in dm-crypt for replicating the on-disk layout when migrating from cryptoloop in multi-keys mode (which is the maintainers recommended method).

So as far as I can tell its not possible to migrate in one step, I can only suggest that volumes be converted from multi-keys to single-key mode. It is single-key mode that dm-crypt supports.


Page: 1/1
1