[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re-encrypting using multi-key, again
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hello list,
apologies for abusing linux-crypto with loop-aes-only-related problems,
but it's my crpyto-solution of choice ;-)
now that multi-key-v3 is the preferred key-mode with loop-aes, i wanted to
"switch" from multi-key-v2 to multi-key-v3 using a linux-2.6 kernel.
reading http://www.spinics.net/lists/crypto/msg02814.html made me use
aespipe but i felt like making some changes to the syntax, because i had
no single-key setup and no "seed.txt". what i did was:
$ dd if=test.img bs=64k | aespipe -d -e aes128 -K ~/keys/sda8.gpg \
| aespipe -e aes128 -K ~/keys/sda8-v3.gpg -w120 \
| dd of=test.img bs=64k conv=notrunc
$ losetup -e aes128 -K ~/keys/sda8-v3.gpg /dev/loop0 test.img
but after this, i could not mount test.img (loop0) anymore - all data
seems to be gone (luckily i really did this on the test.img first, not
with real, valuable data). (full log see below)
i wonder
- - how i misused aespipe
- - if this is the way to go, to change the cipher/passphrase/keyfile
without reformatting the fs (i assume the answer is "yes")
- - how to figure out the right time to wait (aespipe -w) on large
filesystems without testing first
thank you for your ideas. i could imagine this is somehow a FAQ and adding
the (right) answers to loop-AES.README (Example 7) would be fine. maybe
we'll have multi-key-v4 anytime soon and people have to switch again.
Christian.
- ---------- some cmd snippets ----------
root@sheep:~# losetup -e aes128 -K ~/keys/sda8.gpg /dev/loop0 test.img
root@sheep:~# losetup -a
/dev/loop0: [0805]:16819615 (test.img) encryption=AES128 multi-key-v3
root@sheep:~# mount -t ext2 /dev/loop0 /mnt/cdrom/ [success]
root@sheep:~# umount /mnt/cdrom/
root@sheep:~# losetup -d /dev/loop0
root@sheep:~#
root@sheep:~# dd if=test.img bs=64k | aespipe -d -e aes128 -K \
~/keys/sda8.gpg | aespipe -e aes128 -K ~/keys/sda8-v3.gpg\
-w120 | dd of=test.img bs=64k conv=notrunc
Password:
Password:
800+0 records in
800+0 records out
52428800 bytes transferred in 134.029051 seconds (391175 bytes/sec)
111+5214 records in
111+5214 records out
52428800 bytes transferred in 134.027787 seconds (391179 bytes/sec)
root@sheep:~# ls -lah test.img
- -rw-r--r-- 1 root root 50M Jan 16 03:14 test.img [size as before]
root@sheep:~# losetup -e aes128 -K ~/keys/sda8-v3.gpg /dev/loop0 test.img
Password:
root@sheep:~# mount -t ext2 /dev/loop0 /mnt/cdrom/
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
[ NOTE: sda8-v3.key was generated as in Ex.2 in loop-AES.README, sda8.key
was generated following the loop-AES.README that came with loop-aes-v2.x
once. ]
- --
BOFH excuse #82:
Yeah, yo mama dresses you funny and you need a mouse to delete files.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB6dUL+A7rjkF8z0wRAotIAJ4lcPRjRIY211SeJ6GTWwelUs3JEwCeNOfP
qO1b1ESOTAhRH0Z5rE2IfO8=
=HXpG
-----END PGP SIGNATURE-----
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/