Pierre Bedel wrote: > I'm stuck with an unusable disk : > I followed loop-aes.readme and Gentoo's > http://forums.gentoo.org/viewtopic.php?t=108162&postdays=0&postorder=asc&start=0 instructions on building > encrypted root partition. > > However, when modifying buil-initrd.sh I uncommented the SEED and ITERATION > options (can't remember exact names) and broke cardinal rule by not writing > seed down on paper ;-( > > I then followed the remaining instructions to the letter. Immediately after > crypting my root from Knoppix, I remembered that I didn't provide any seed. > > 2 questions : > -how can I decrypt my root partition ? > dd if=/dev/hda5 bs=64k | /mnt/aespipe -d -K /mnt/rootkey.gpg -G / | \ > of=/dev/hda5 bs=64k conv=notrunc > -If providing seed in initrd what command should I have used ? > dd if=/dev/hda5 bs=64k | /mnt/aespipe -e AES256 -H SHA512 -K > /mnt/rootkey.gpg -G / | \ > of=/dev/hda5 bs=64k conv=notrunc You can decrypt your root partition using exactly same command syntax as you used to encrypt it, except add -d option to aespipe for 'decryption'. Then you can re-run the 'encrypt' command pipe again with correct encryption options. If you want to view seed and iteration in existing initrd.gz file, do something like this: zcat initrd.gz >z mount -r -t minix z /mnt -o loop strings -a /mnt/linuxrc | less umount /mnt In multi-key mode, mount and losetup ignore seed and iteration. gpg key file already includes seed and iteration because gpg program creates and writes them there. IOW, gpg already does the right thing and protects the key file against optimized dictionary attacks. Single-key mode as used in loop-AES and mainline cryptoloop have nasty exploitable weaknesses. I recommend that all new setups use more secure multi-key mode. In multi-key mode you don't need to manually set seed and/or iteration. You using seed and/or iteration, suggests that you are doing something wrong. -- Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
