[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re-encrypting using multi-key (was Re: Upgrading to a 2.6 Kernel on a Loop-AES Machine)

By the way you changed the subject, are you saying I have to re-encrypt
the file system? It was already encrypted with a 2.4.22 kernel. 

On Thu, 2004-07-22 at 07:16, Jari Ruusu wrote:
> "Eloy A. Paris" wrote:
> > On Wed, Jul 21, 2004 at 04:28:10PM +0300, Jari Ruusu wrote:
> > > Mainline cryptoloop only does single-key mode, which has been broken.
> > > Since your root partition is using single-key mode, your setup is also
> > > broken. Re-encrypting using loop-AES multi-key mode is the way to go.
> > 
> > You bring up something I have been meaning to ask for a long time, but
> > keep forgetting: my hard drive is encrypted using single-key mode. What
> > is the recommended way of re-encrypting using multi-key mode? Does it
> > require booting with a rescue disk (Knoppix, for example) and using
> > aespipe? Any pitfalls to look for?
> 
> 1) Make sure that loop code (loop.o/loop.ko or kernel patch) is from any
>    loop-AES-v2.X version. Module must be copied to /boot/modules-XXXX/
>    directory, where XXXX is kernel version.
> 
> 2) Make sure that mount+losetup+swapon programs are from loop-AES-v2.X
>    util-linux patched version, including /bin/mount /bin/umount
>    /sbin/losetup /sbin/swapon and most importantly /boot/losetup
> 
> 3) Create /boot/rootkey.gpg by running step 9 of README example 7.5.
> 
> 4) Create new initrd.gz by running steps 10 to 13 of README example 7.5.
>    USEGPGKEY=1 must be set in build-initrd.sh config.
> 
> 5) Boot from rescue CD-ROM
> 
> 6) Mount /boot partition as /mnt, step 18 of README example 7.5.
> 
> 7) Run root partition data through two copies of aespipe. First one
>    decrypts your single-key encrypted data, and second one encrypts in
>    multi-key mode. aespipe version must be aespipe-v2.2a or newer.
> 
>     dd if=/dev/hda2 bs=64k \
>        | /mnt/aespipe -d -e AES128 -T -S `cat /mnt/seed.txt` -C 100 \
>        | /mnt/aespipe -e AES128 -K /mnt/rootkey.gpg -G / -w 120 \
>        | dd of=/dev/hda2 bs=64k conv=notrunc
> 
>    Above assumes that /dev/hda1 is /boot partition and /dev/hda2 is root
>    partition. First aespipe command line parameters must be same that you
>    used to encrypt, but with -d option added. Note that there is 120 second
>    delay before second aespipe asks for a password (it is that "-w 120"
>    option).
> 
> 8) Clean up by running step 20 of README example 7.5.
> 
> Above README file example 7.5. refers to loop-AES-v2.1b version.


-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/