> Anon wrote: > >>Anon wrote: > >> > >>>Could I then use ReiserFS on top of a file backed loop device? > >> > >> > >>the loop-AES.README also states: > >> > >> 1. Loop device primer > >> [...] > >> File backed loops may deadlock under some kernel + file system > >> combinations. > >> So, if you can choose between device backed and file backed, choose > >> device backed even if it means that you have to re-partition your > >> disks. > > > > I *am* planning on using a device-backed loop. > > > > > >>so, file backed loops SHOULD be avoided, no matter if encrypted or not, > >>with journaling fs on it or without. yes, it's possible and you SHOULD > >>try it to see if it works for you. but in "most cases" file backed loops > >>are behaving better. > > > > I assume you really meant device-backed loops in the last sentance above. > > > > My interest in using a file-backed loop is so that I can have a loop-AES device-backed loop > > containing a loop-AES file-backed loop, for two (or more) layers of encryption. > > > > I have the impression from the loop-AES.README file a non-journalling file system can be used in a > > file-backed loop. It is my understanding from the ReiserFS documentation that using the "nolog" > > option during mounting would satisfy the non-journalling criteria, as this option disables > > journalling. > > For that scenario you only 'need' a filesystem for the last layer. > > You pack an encryption layer onto the partion/device. > "losetup" it and losetup the next layer directly onto the newly created > /dev/loop<x> device. > > That way you only stack block-devices and pack a filesystem on the last one. > > For a (say) 4 layer encryption you would stack; > > HDD -> Partition > -> Loop 1 -> Loop 2 -> Loop 3 -> Loop 4 > -> Filesystem > > e.g. > sdb -> sdb1 -> loop0 -> loop1 -> loop2 -> loop3 -> <whatever> > > If you want you can also pack the encryption keys before each layer > using the "offset"-options to leave the needed space for the keys and > shrink the block-device of each layer by a little bit. > > That way you had to actually break each encryption layer to even get the > needed keys for the next. (Of course the key-sets are also encrypted > with by gpg or whatever else layer you may think of) Thank you for the suggestion. I just read a similar suggestion for Jari, though I need a more detailed example to actually implement the suggestion (as in an example fstab and command line that properly sets up the stack of loops). I never stacked loops before, and do not yet seem to understand how I would stack loops. While your suggestion with the keys residing in each layer may be convenient, I think it needlessly reduces the security to Level 2 as stated in the loop-AES.README. It would be just as convenient and easy to store the keys external to the encrypted partion/loops. Anon - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
