Re: util-linux and data encryption

From: Jari Ruusu
Date: Tue Oct 04 2005 - 00:15:31 EST


Paulo da Silva wrote:
> I had a loop filesystem encrypted with twofish
> algorithm.
>
> Today, trying to mount the file, 'mount' claimed
> I needed to enter a password of 20 chars or more!
> Since I used less chars to encrypt, I was not able
> to recover the information!!!
> I tried CFLAGS="-DLOOP_PASSWORD_MIN_LENGTH=8"
> without any success. This causes 'mount' to accept
> the password, but, somehow, the decryption failled
> because the fs type remained unrecognized!
>
> BTW, I am using gentoo and I also tried USE=old-crypt.
> No way!
>
> I needed to install the version 2.12i to recover
> my information.
>
> Is this related with util-linux or has something
> to do with gentoo patches or something?

Seems like gentoo has merged loop-AES' util-linux patch which has always
used better defaults.

Mainline util-linux compatible mount options for /etc/fstab

encryption=twofish256,phash=unhashed2

Mainline util-linux compatible losetup command options

losetup -e twofish256 -H unhashed2 ......

kerneli.org compatible mount options for /etc/fstab

encryption=twofish256,phash=rmd160

kerneli.org compatible losetup command options

losetup -e twofish256 -H rmd160 ......

mount and losetup programs don't enforce 20 character minimum passphrase
length when using 'rmd160' or 'unhashed2' hash functions.

Both mainline util-linux and kerneli.org compatible setups are broken
securitywise. If there still are file systems using such broken setups, now
is good time to re-encrypt them using stronger crypto.

--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/