-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jari Ruusu schrieb: > > What aespipe version did you use? > > v3 on-disk format encrypting aespipe must be version v2.3a or later. As of > this writing, there is no later version. oh, i have aespipe v2.2d - sorry i missed that. i'll upgrade and see what it gives. >>- - how i misused aespipe > Your "dd | aespipe -d | aespipe | dd" pipe looks ok. ok. >>- - if this is the way to go, to change the cipher/passphrase/keyfile >> without reformatting the fs (i assume the answer is "yes") > > Passphrase can be changed by re-encrypting the key file, or by changing gpg > private key passphrase (public key crypto case). yes, indeed. > Cipher type or cipher key length or key file content change requires > re-encryption of the file system data. ...which could be accomplished by "dd | aespipe -d | aespipe | dd", right? >>- - how to figure out the right time to wait (aespipe -w) on large >> filesystems without testing first > > The wait is there only to prevent two aespipe programs asking two > passphrases simultaneously. If you can type first passphrase in 30 seconds, > then -w30 is enough. ah, got it. >>maybe we'll have multi-key-v4 anytime soon and people have to switch >>again. > > No such v4 plans yet. > >>root@sheep:~# losetup -e aes128 -K ~/keys/sda8.gpg /dev/loop0 test.img >>root@sheep:~# losetup -a >>/dev/loop0: [0805]:16819615 (test.img) encryption=AES128 multi-key-v3 > > ^^^ > But ~/keys/sda8.gpg is already in v3 format. Typo? no typo. i've generated sda8.gpg as described in loop-AES.README when multi-key-v2 was "state-of-the-art" - however, i don't know the syntax anymore. when decrypting manually, gpg says "CAST5 encrypted data" and "WARNING: message was not integrity protected", the plaintext consists of 3904 bytes (whoops, too much info for an open mailinglist? *gg*) > Above "losetup -a" output says otherwise. indeed. > Can you provide output of following commands: > > gpg --decrypt <~/keys/sda8.gpg | wc --lines > gpg --decrypt <~/keys/sda8-v3.gpg | wc --lines > > First command should output "64" and second command should output "65". yes, it really does. the thing is, i'ved used losetup (from loop-aes-utils 2.12p) to encrypt a new "test.img" - thus multi-key-v3 seems to be available for sda8.gpg too. but i've got real partitions here too, all showing up with multi-key-v2. i can't just mkfs on it then. i'll try with a current aespipe again. thanks for your input, i really appreciate your work. Christian. - ---- strange tests ------ root@sheep:~# losetup -e aes128 -K ~/keys/sda8.gpg /dev/loop6 /dev/sda8 Password: root@sheep:~# losetup -a | grep loop6 /dev/loop6: [0805]:380 (/dev/sda8) encryption=AES128 multi-key-v2 root@sheep:~# root@sheep:~# root@sheep:~# losetup -e aes128 -K ~/keys/sda8.gpg /dev/loop0 test.img Password: root@sheep:~# losetup -a | grep loop0 /dev/loop0: [0805]:16819615 (test.img) encryption=AES128 multi-key-v3 root@sheep:~# (no typo, really) - -- BOFH excuse #391: We already sent around a notice about that. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB6rMC+A7rjkF8z0wRAiZnAKCyMuMCTnJUepO29UwgWiEGj9j7VACfbBA8 2/7tPjTMX82ZhgndIHpaRSc= =tbnj -----END PGP SIGNATURE----- - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
