[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re-encrypting using multi-key, again
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jari Ruusu schrieb:
>
> What aespipe version did you use?
>
> v3 on-disk format encrypting aespipe must be version v2.3a or later. As of
> this writing, there is no later version.
oh, i have aespipe v2.2d - sorry i missed that. i'll upgrade and see what
it gives.
>>- - how i misused aespipe
> Your "dd | aespipe -d | aespipe | dd" pipe looks ok.
ok.
>>- - if this is the way to go, to change the cipher/passphrase/keyfile
>> without reformatting the fs (i assume the answer is "yes")
>
> Passphrase can be changed by re-encrypting the key file, or by changing gpg
> private key passphrase (public key crypto case).
yes, indeed.
> Cipher type or cipher key length or key file content change requires
> re-encryption of the file system data.
...which could be accomplished by "dd | aespipe -d | aespipe | dd", right?
>>- - how to figure out the right time to wait (aespipe -w) on large
>> filesystems without testing first
>
> The wait is there only to prevent two aespipe programs asking two
> passphrases simultaneously. If you can type first passphrase in 30 seconds,
> then -w30 is enough.
ah, got it.
>>maybe we'll have multi-key-v4 anytime soon and people have to switch
>>again.
>
> No such v4 plans yet.
>
>>root@sheep:~# losetup -e aes128 -K ~/keys/sda8.gpg /dev/loop0 test.img
>>root@sheep:~# losetup -a
>>/dev/loop0: [0805]:16819615 (test.img) encryption=AES128 multi-key-v3
>
> ^^^
> But ~/keys/sda8.gpg is already in v3 format. Typo?
no typo. i've generated sda8.gpg as described in loop-AES.README when
multi-key-v2 was "state-of-the-art" - however, i don't know the syntax
anymore. when decrypting manually, gpg says "CAST5 encrypted data" and
"WARNING: message was not integrity protected", the plaintext consists of
3904 bytes (whoops, too much info for an open mailinglist? *gg*)
> Above "losetup -a" output says otherwise.
indeed.
> Can you provide output of following commands:
>
> gpg --decrypt <~/keys/sda8.gpg | wc --lines
> gpg --decrypt <~/keys/sda8-v3.gpg | wc --lines
>
> First command should output "64" and second command should output "65".
yes, it really does.
the thing is, i'ved used losetup (from loop-aes-utils 2.12p) to encrypt a
new "test.img" - thus multi-key-v3 seems to be available for sda8.gpg too.
but i've got real partitions here too, all showing up with multi-key-v2. i
can't just mkfs on it then. i'll try with a current aespipe again. thanks
for your input, i really appreciate your work.
Christian.
- ---- strange tests ------
root@sheep:~# losetup -e aes128 -K ~/keys/sda8.gpg /dev/loop6 /dev/sda8
Password:
root@sheep:~# losetup -a | grep loop6
/dev/loop6: [0805]:380 (/dev/sda8) encryption=AES128 multi-key-v2
root@sheep:~#
root@sheep:~#
root@sheep:~# losetup -e aes128 -K ~/keys/sda8.gpg /dev/loop0 test.img
Password:
root@sheep:~# losetup -a | grep loop0
/dev/loop0: [0805]:16819615 (test.img) encryption=AES128 multi-key-v3
root@sheep:~#
(no typo, really)
- --
BOFH excuse #391:
We already sent around a notice about that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB6rMC+A7rjkF8z0wRAiZnAKCyMuMCTnJUepO29UwgWiEGj9j7VACfbBA8
2/7tPjTMX82ZhgndIHpaRSc=
=tbnj
-----END PGP SIGNATURE-----
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/