On 11/05/2010 10:49 AM, octane indice wrote: > In order to better understand how cryptsetup works, I'm asking if there is a > 'big picture' or a debug mode explaining how things are done. (I'm asking > about cryptsetup, not LUKS). Then you are not asking about cryptsetup, but just about how dm-crypt works:) Cryptsetup just configures dm-crypt, there is no userspace crypto related (except LUKS operation or passphrase hashing in plain mode - output of this is just volume key directly used in dm-crypt) Start with kernel documentation http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob_plain;f=Documentation/device-mapper/dm-crypt.txt;hb=HEAD you can get active mapped target (after cryptsetup configures it) with dmsetup table --showkeys you can configure it using dmsetup too (dmsetup is just wrapper around dm-ioctl calls) > e.g. An explanation as. Password is taken from command line. > A read is made through /dev/mapper/crypted_disk > The first block is read. The AES-128-cbc operation is computed with options > like, iv= K= or salt=... > When we write a block, then which things are done, and so on. that's not job for cryptsetup, this is how dm-crypt works Example: in plain mode: - cryptsetup reads passphrase, hashes it using specified hash alg and use it directly as volume key - in luks mode it decrypts keyslot and read volume key from there The enryption in dm-crypt is common mode for storage FDE, each sector (512B) is encrypted separately with given cipher and mode) and initial vector. E.g. aes-cbc-plain : used cipher AES, cbc mode (so the 512B sector is divided to 16bytes cipher blocks for CBC) and with initial vector "plain" what here means just sector number. > Is there a tech documentation explaining that? The goal for me would to use > openssl in order to make a decryption of a disk ciphered by cryptsetup and > vice-versa. That makes no sense to me (if you are using Linux), except some exercise with openssl. What is the real goal here? Can you please explain it? > In a second time, I would think that it works the salme way with Luks, > excepts that the password is read from the luks header nad crypto operation > begins beyond the luks header. passphrase in LUKS mode is neither derived nor related to volume key used in encryption. passphrase just unlocks the slot where the key is stored. Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
