Re: loop-AES with ReiserFS for file-backed loop?

["Anon" <loop-aes@xxxxxxxxxxxxx>]

> Anon wrote: 
> >>Anon wrote:  
> >> 
> >>>Could I then use ReiserFS on top of a file backed loop device?    
> >> 
> >>  
> >>the loop-AES.README also states:  
> >>  
> >>    1. Loop device primer  
> >>    [...]  
> >>    File backed loops may deadlock under some kernel + file system  
> >>    combinations.  
> >>    So, if you can choose between device backed and file backed, choose  
> >>    device backed even if it means that you have to re-partition your  
> >>    disks.  
> >  
> > I *am* planning on using a device-backed loop.  
> >   
> >  
> >>so, file backed loops SHOULD be avoided, no matter if encrypted or not,   
> >>with journaling fs on it or without. yes, it's possible and you SHOULD   
> >>try it to see if it works for you. but in "most cases" file backed loops   
> >>are behaving better.  
> >  
> > I assume you really meant device-backed loops in the last sentance above.  
> >   
> > My interest in using a file-backed loop is so that I can have a loop-AES device-backed loop  
> > containing a loop-AES file-backed loop, for two (or more) layers of encryption.  
> >   
> > I have the impression from the loop-AES.README file a non-journalling file system can be used 
in a  
> > file-backed loop.  It is my understanding from the ReiserFS documentation that using the 
"nolog"  
> > option during mounting would satisfy the non-journalling criteria, as this option disables  
> > journalling.  
>  
> For that scenario you only 'need' a filesystem for the last layer. 
>  
> You pack an encryption layer onto the partion/device. 
> "losetup" it and losetup the next layer directly onto the newly created  
> /dev/loop<x> device. 
>  
> That way you only stack block-devices and pack a filesystem on the last one. 
>  
> For a (say) 4 layer encryption you would stack; 
>  
> HDD -> Partition 
> -> Loop 1 -> Loop 2 -> Loop 3 -> Loop 4 
> -> Filesystem 
>  
> e.g. 
> sdb -> sdb1 -> loop0 -> loop1 -> loop2 -> loop3 -> <whatever> 
>  
> If you want you can also pack the encryption keys before each layer  
> using the "offset"-options to leave the needed space for the keys and  
> shrink the block-device of each layer by a little bit. 
>  
> That way you had to actually break each encryption layer to even get the  
> needed keys for the next. (Of course the key-sets are also encrypted  
> with by gpg or whatever else layer you may think of) 
Thank you for the suggestion.  I just read a similar suggestion for Jari, though I need a more 
detailed example to actually implement the suggestion (as in an example fstab and command line 
that properly sets up the stack of loops).  I never stacked loops before, and do not yet seem to 
understand how I would stack loops. 
 
While your suggestion with the keys residing in each layer may be convenient, I think it 
needlessly reduces the security to Level 2 as stated in the loop-AES.README.  It would be just as 
convenient and easy to store the keys external to the encrypted partion/loops. 
 
Anon 
  

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/