By the way you changed the subject, are you saying I have to re-encrypt the file system? It was already encrypted with a 2.4.22 kernel. On Thu, 2004-07-22 at 07:16, Jari Ruusu wrote: > "Eloy A. Paris" wrote: > > On Wed, Jul 21, 2004 at 04:28:10PM +0300, Jari Ruusu wrote: > > > Mainline cryptoloop only does single-key mode, which has been broken. > > > Since your root partition is using single-key mode, your setup is also > > > broken. Re-encrypting using loop-AES multi-key mode is the way to go. > > > > You bring up something I have been meaning to ask for a long time, but > > keep forgetting: my hard drive is encrypted using single-key mode. What > > is the recommended way of re-encrypting using multi-key mode? Does it > > require booting with a rescue disk (Knoppix, for example) and using > > aespipe? Any pitfalls to look for? > > 1) Make sure that loop code (loop.o/loop.ko or kernel patch) is from any > loop-AES-v2.X version. Module must be copied to /boot/modules-XXXX/ > directory, where XXXX is kernel version. > > 2) Make sure that mount+losetup+swapon programs are from loop-AES-v2.X > util-linux patched version, including /bin/mount /bin/umount > /sbin/losetup /sbin/swapon and most importantly /boot/losetup > > 3) Create /boot/rootkey.gpg by running step 9 of README example 7.5. > > 4) Create new initrd.gz by running steps 10 to 13 of README example 7.5. > USEGPGKEY=1 must be set in build-initrd.sh config. > > 5) Boot from rescue CD-ROM > > 6) Mount /boot partition as /mnt, step 18 of README example 7.5. > > 7) Run root partition data through two copies of aespipe. First one > decrypts your single-key encrypted data, and second one encrypts in > multi-key mode. aespipe version must be aespipe-v2.2a or newer. > > dd if=/dev/hda2 bs=64k \ > | /mnt/aespipe -d -e AES128 -T -S `cat /mnt/seed.txt` -C 100 \ > | /mnt/aespipe -e AES128 -K /mnt/rootkey.gpg -G / -w 120 \ > | dd of=/dev/hda2 bs=64k conv=notrunc > > Above assumes that /dev/hda1 is /boot partition and /dev/hda2 is root > partition. First aespipe command line parameters must be same that you > used to encrypt, but with -d option added. Note that there is 120 second > delay before second aespipe asks for a password (it is that "-w 120" > option). > > 8) Clean up by running step 20 of README example 7.5. > > Above README file example 7.5. refers to loop-AES-v2.1b version. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
