reverend@xxxxxxxxxxxxx wrote:
> Question:
> ERPOSS_3.iso looks to use crypto-api and loop-aes-128 and it could
> possibly make the problematic work, I installed it several times.
> Is it more easily possible to update such an installation towards aes-256-
> multikey ?
ERPOSS3-INSTALLATIONS.ISO appears to use kerneli.org cryptoloop, which is
the most broken implementation that you can find anywhere.
Loop-AES can mount such file system like this:
mount -t ext3 /dev/hda2 /mnt -o loop=/dev/loop0,encryption=AES128,phash=rmd160
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^
If you want to convert such filesystem in-place to loop-AES-v3 multi-key,
you can do this on _unmounted_ file system, on KNOPPIX root shell:
losetup -e AES128 -H rmd160 /dev/loop0 /dev/hda2
^^^^^^^^^ ^^^^^^^^^ ^
losetup -e AES256 -K /boot/rootkey.gpg /dev/loop1 /dev/hda2
^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^ ^
dd if=/dev/loop0 of=/dev/loop1 bs=4096k conv=notrunc
^ ^
losetup -d /dev/loop0
losetup -d /dev/loop1
Where /boot/rootkey.gpg is your new gpg-encrypted 65-line key file. You will
also need to upgrade to newer mount/losetup/swapon programs, create new
initrd using build-initrd.sh script, and edit /etc/fstab and bootloader
configurations.
My advise is to make a backup of the file system before conversion. If 'dd'
process doing the conversion is interrupted for any reason, then you end up
with file system partially encrypted using new crypto and rest encrypted
with old crypto, which means that it is rendered unreadable/unfixable.
--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
