[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re-encrypting using multi-key, again

To: Christian Kujau <evil@xxxxxxxxxx>
Subject: Re: Re-encrypting using multi-key, again
From: Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 16 Jan 2005 15:01:56 +0200
Cc: linux-crypto@xxxxxxxxxxxx
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:ecartis@nl.linux.org?Subject=help>
List-id: <linux-crypto.nl.linux.org>
List-owner: <mailto:ecartis-owner@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
References: <41E9D50C.4080302@g-house.de>
Sender: linux-crypto-bounce@xxxxxxxxxxxx

Christian Kujau wrote:
> reading http://www.spinics.net/lists/crypto/msg02814.html made me use
> aespipe but i felt like making some changes to the syntax, because i had
> no single-key setup and no "seed.txt". what i did was:
> 
> $ dd if=test.img bs=64k | aespipe -d -e aes128 -K ~/keys/sda8.gpg \
>   | aespipe -e aes128 -K ~/keys/sda8-v3.gpg -w120 \
>   | dd of=test.img bs=64k conv=notrunc

What aespipe version did you use?

v3 on-disk format encrypting aespipe must be version v2.3a or later. As of
this writing, there is no later version.

> - - how i misused aespipe

Your "dd | aespipe -d | aespipe | dd" pipe looks ok.

> - - if this is the way to go, to change the cipher/passphrase/keyfile
>   without reformatting the fs (i assume the answer is "yes")

Passphrase can be changed by re-encrypting the key file, or by changing gpg
private key passphrase (public key crypto case). Cipher type or cipher key
length or key file content change requires re-encryption of the file system
data.

> - - how to figure out the right time to wait (aespipe -w) on large
>   filesystems without testing first

The wait is there only to prevent two aespipe programs asking two
passphrases simultaneously. If you can type first passphrase in 30 seconds,
then -w30 is enough.

> maybe we'll have multi-key-v4 anytime soon and people have to switch
> again.

No such v4 plans yet.

> root@sheep:~# losetup -e aes128 -K ~/keys/sda8.gpg /dev/loop0 test.img
> root@sheep:~# losetup -a
> /dev/loop0: [0805]:16819615 (test.img) encryption=AES128 multi-key-v3
                                                                    ^^^
But ~/keys/sda8.gpg is already in v3 format. Typo?

> [ NOTE: sda8-v3.key was generated as in Ex.2 in loop-AES.README, sda8.key
> was generated following the loop-AES.README that came with loop-aes-v2.x
> once. ]

Above "losetup -a" output says otherwise.

Can you provide output of following commands:

    gpg --decrypt <~/keys/sda8.gpg | wc --lines
    gpg --decrypt <~/keys/sda8-v3.gpg | wc --lines

First command should output "64" and second command should output "65".

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

Follow-Ups:
- Re: Re-encrypting using multi-key, again
  - From: Christian Kujau

References:
- Re-encrypting using multi-key, again
  - From: Christian Kujau

Prev by Date: Re: alternative to aespipe that allows long (CFB) chains
Next by Date: Re: Re-encrypting using multi-key, again
Previous by thread: Re-encrypting using multi-key, again
Next by thread: Re: Re-encrypting using multi-key, again
Index(es):
- Date
- Thread