On Mon, Jun 21, 2004 at 08:17:17PM -0500, Lohan Knight wrote: > But losetup still doesn't recognize any of the crypto ciphers. > > Here's the output: > > % losetup -e aes -k 256 /dev/loop7 /etc/encrypted.data > The cipher does not exist, or a cipher module needs to be loaded into the > kernel > ioctl: LOOP_SET_STATUS: Invalid argument What version of losetup and mount are you using? 2.12 is whats needed iirc. > I then looked, and I saw that when I selected the cryptoloop module, > it disabled the crypto API for me. And I don't see any modules at: > > % cat /proc/crypto > > (Ie, nothing appears when I cat it.) Ok, thats odd. > So apparently this means you can have one or the other, but not > both, eh? Either you use cryptoloop or you use the built-in Crypto API? I use both: $ grep CRYPTO /usr/src/patches/configs/config-2.4.25 CONFIG_BLK_DEV_CRYPTOLOOP=y # Cryptoloop CONFIG_CRYPTO=y # Crypto API stuff CONFIG_CRYPTO_HMAC=y # CONFIG_CRYPTO_NULL is not set CONFIG_CRYPTO_MD4=y CONFIG_CRYPTO_MD5=y CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_DES=y CONFIG_CRYPTO_BLOWFISH=y CONFIG_CRYPTO_TWOFISH=m CONFIG_CRYPTO_SERPENT=y CONFIG_CRYPTO_AES=y CONFIG_CRYPTO_CAST5=m CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_DEFLATE=y # CONFIG_CRYPTO_TEST is not set CONFIG_CRYPTO=y CONFIG_CRYPTO_SHA256=y > This doesn't make sense at all. Why use cryptoloop? What does it > do? I thought the Crypto API did everything? The cryptoloop patch (dont ask me why it isn't included in the vanilla kernel, with the API) enables you to mount encrypted loop devices. Thats it. The crypto api is there to make it easier to use crypto in other patches or programs. Take grsecurity for example, it requires sha256, and since it uses the kernel api it doesnt need to be included in the grsecurity patch. > And do I need a particular version of losetup (util-linux package)? > If so, which one? And do I need to patch it with a patch file? If > so, which one? 2.12 or later. > Someone suggested I use loop-aes? I have to check into that. > But does that mean that it only supports AES and not blowfish etc? > If so, I want blowfish and the rest. I don't just want AES. Having > a fast version of AES is nice, but not necessary. loop-aes is nice and it does support the usual algorithms via an external patch. The big drawback is that mount, umount, losetup, swapon and swapoff has to be patched and recompiled and loop-aes and cryptoloop doesnt work with eachother. It's a mess basically. http://loop-aes.sourceforge.net/ > I dunno. I've been patching my kernels with the crypto patches > since kernel 2.0.x. It's never been easy. And nobody ever seems > to have a nice readme.txt file available to do it. I'm always left to > beg for help on this mailing list. It's frustrating. Check out the loop-aes "page", it got some nice docs. Have you checked out http://www.tldp.org/HOWTO/Cryptoloop-HOWTO/ ? To make things worse for us, but better security wise, the use a different system in 2.6 now. /Thomas -- == thomas@xxxxxxxxxxxxxxxxxxxx | thomas@xxxxxxxxxxxx == Encrypted e-mails preferred | GPG KeyID: 114AA85C --
Attachment:
signature.asc
Description: Digital signature
