[gentoo-user] Problems with loop-aes

[gentoo-user] Problems with loop-aes

[Walter Dnes]

  I'm trying to set up USB-key-encryption for use with a laptop.  I'm
running mdev instead of udev on the laptop, so lvm doesn't work.  I did
manage to create /dev/mapper/control by running "dmsetup mknodes"
manually, but still got error messages about being unable to initialize
the encryption backend.

  Moving on to using loop-aes, I emerged sys-fs/loop-aes-3.7a and used
the "loop-aes" variant commands whilst following the the only docs that
I could find, namely http://loop-aes.sourceforge.net/loop-AES.README
I ran into problems when trying to mount the loop device.  Here's what
happens (passphrase is properly entered)...

[aa1][root][~] loop-aes-losetup -F /dev/loop0
Password: 
ioctl: LOOP_MULTI_KEY_SETUP_V3: Invalid argument

  Anybody have any ideas?

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Problems with loop-aes

[J. Roeleveld]

On Tuesday, May 06, 2014 02:31:08 PM Walter Dnes wrote:
>   I'm trying to set up USB-key-encryption for use with a laptop.  I'm
> running mdev instead of udev on the laptop, so lvm doesn't work.

I find this strange, as LVM can manage the /dev-entries directly.
On my systems, this is necessary as udev regularly fails to properly handle 
these entries.

Eg. the following setting: " verify_udev_operations = 1 "
There are other options for udev documented in /etc/lvm/lvm.conf.
Including one where LVM is configured to do ALL the /dev operations.

>  I did
> manage to create /dev/mapper/control by running "dmsetup mknodes"
> manually, but still got error messages about being unable to initialize
> the encryption backend.

I believe " cryptsetup " does not use the LVM tools. But has a new device 
created by the kernel directly, which should be picked up by a device manager 
directly.

>   Moving on to using loop-aes, I emerged sys-fs/loop-aes-3.7a and used
> the "loop-aes" variant commands whilst following the the only docs that
> I could find, namely http://loop-aes.sourceforge.net/loop-AES.README
> I ran into problems when trying to mount the loop device.  Here's what
> happens (passphrase is properly entered)...
> 
> [aa1][root][~] loop-aes-losetup -F /dev/loop0
> Password:
> ioctl: LOOP_MULTI_KEY_SETUP_V3: Invalid argument
> 
>   Anybody have any ideas?

Never used the loop-aes-losetup.
I do use cryptsetup (with the luksopen/close options) succesfully, but that is 
with udev.

--
Joost

Re: [gentoo-user] Problems with loop-aes

[Walter Dnes]

On Tue, May 06, 2014 at 08:45:01PM +0200, J. Roeleveld wrote
> On Tuesday, May 06, 2014 02:31:08 PM Walter Dnes wrote:
> >   I'm trying to set up USB-key-encryption for use with a laptop.  I'm
> > running mdev instead of udev on the laptop, so lvm doesn't work.
> 
> I find this strange, as LVM can manage the /dev-entries directly.
> On my systems, this is necessary as udev regularly fails to properly handle 
> these entries.
> 
> Eg. the following setting: " verify_udev_operations = 1 "
> There are other options for udev documented in /etc/lvm/lvm.conf.

  Unfortunately, mdev != udev.  People running RAID have problems too.


> I believe " cryptsetup " does not use the LVM tools. But has a new device 
> created by the kernel directly, which should be picked up by a device manager 
> directly.

  But cryptsetup pulls in lvm2 as a dependancy...

[d531][waltdnes][~] emerge -pv cryptsetup

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  N     ] sys-fs/lvm2-2.02.103  USE="readline (-clvm) (-cman) -lvm1 -lvm2create_initrd (-selinux) -static -static-libs -thin -udev" 1,313 kB
[ebuild  N     ] sys-fs/cryptsetup-1.6.2  USE="openssl -gcrypt -kernel -nettle -nls -python -reencrypt -static -static-libs -udev -urandom" PYTHON_SINGLE_TARGET="python2_7 -python2_6" PYTHON_TARGETS="python2_7 -python2_6" 1,162 kB

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Problems with loop-aes

[Alon Bar-Lev]

[-- Attachment #1: Type: text/plain, Size: 1095 bytes --]

Checkout[1]

[1]
http://alonbl.shoutwiki.com/wiki/Gentoo/Linux_Disk_Encryption_Using_LoopAES_And_SmartCards


On Tue, May 6, 2014 at 9:31 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:

>   I'm trying to set up USB-key-encryption for use with a laptop.  I'm
> running mdev instead of udev on the laptop, so lvm doesn't work.  I did
> manage to create /dev/mapper/control by running "dmsetup mknodes"
> manually, but still got error messages about being unable to initialize
> the encryption backend.
>
>   Moving on to using loop-aes, I emerged sys-fs/loop-aes-3.7a and used
> the "loop-aes" variant commands whilst following the the only docs that
> I could find, namely http://loop-aes.sourceforge.net/loop-AES.README
> I ran into problems when trying to mount the loop device.  Here's what
> happens (passphrase is properly entered)...
>
> [aa1][root][~] loop-aes-losetup -F /dev/loop0
> Password:
> ioctl: LOOP_MULTI_KEY_SETUP_V3: Invalid argument
>
>   Anybody have any ideas?
>
> --
> Walter Dnes <waltdnes@waltdnes.org>
> I don't run "desktop environments"; I run useful applications
>
>

[-- Attachment #2: Type: text/html, Size: 1822 bytes --]

Re: [gentoo-user] Problems with loop-aes

[Walter Dnes]

On Wed, May 07, 2014 at 12:50:53AM +0300, Alon Bar-Lev wrote
> Checkout[1]
> 
> [1]
> http://alonbl.shoutwiki.com/wiki/Gentoo/Linux_Disk_Encryption_Using_LoopAES_And_SmartCards

  Unfortunately, 90% of the wiki entry is irrelavant to my situation.
It's aimed at encrypting the entire machine, and making it bootable with
initramfs.  I just need to encrypt a USB key.

  I see that it also says to build various stuff with the "static" USE
flag.  I assume this is for an initramfs boot.  Looking at the ebuild, I
see that it strongly suggests static-libs builds for a whole bunch of
stuff.  I don't know if this is required in all cases, or simply for
booting from an encrypted disk...

LIB_DEPEND="dev-libs/libgpg-error[static-libs(+)]
        dev-libs/popt[static-libs(+)]
        sys-apps/util-linux[static-libs(+)]
        gcrypt? ( dev-libs/libgcrypt:0[static-libs(+)] )
        nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] )
        openssl? ( dev-libs/openssl[static-libs(+)] )
        sys-fs/lvm2[static-libs(+)]
        sys-libs/e2fsprogs-libs[static-libs(+)]
        udev? ( virtual/udev[static-libs(+)] )"

  Also interesting is that this webpage recommends *NO* loop support in
the kernel.  This may be important, i.e. loop-aes may provide the
support, and clash with the kernel code.  Time to head off to bed
tonight.  I'll try again in the morning.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Problems with loop-aes

[J. Roeleveld]

On Tuesday, May 06, 2014 05:34:52 PM Walter Dnes wrote:
> On Tue, May 06, 2014 at 08:45:01PM +0200, J. Roeleveld wrote
> 
> > On Tuesday, May 06, 2014 02:31:08 PM Walter Dnes wrote:
> > >   I'm trying to set up USB-key-encryption for use with a laptop.  I'm
> > > 
> > > running mdev instead of udev on the laptop, so lvm doesn't work.
> > 
> > I find this strange, as LVM can manage the /dev-entries directly.
> > On my systems, this is necessary as udev regularly fails to properly
> > handle
> > these entries.
> > 
> > Eg. the following setting: " verify_udev_operations = 1 "
> > There are other options for udev documented in /etc/lvm/lvm.conf.
> 
>   Unfortunately, mdev != udev.  People running RAID have problems too.

I know it isn't. I just find it strange that LVM can't work without udev when I 
see options which configure the LVM-tools to either double-check udevs actions 
or even completely bypass udev:
***

    # Set to 0 to disable udev synchronisation (if compiled into the 
binaries).
    # Processes will not wait for notification from udev.
    # They will continue irrespective of any possible udev processing
    # in the background.  You should only use this if udev is not running
    # or has rules that ignore the devices LVM2 creates.
    # The command line argument --nodevsync takes precedence over this 
setting.
    # If set to 1 when udev is not running, and there are LVM2 processes
    # waiting for udev, run 'dmsetup udevcomplete_all' manually to wake them 
up.
    udev_sync = 1

    # Set to 0 to disable the udev rules installed by LVM2 (if built with
    # --enable-udev_rules). LVM2 will then manage the /dev nodes and symlinks
    # for active logical volumes directly itself.
    # N.B. Manual intervention may be required if this setting is changed
    # while any logical volumes are active.
    udev_rules = 1

    # Set to 1 for LVM2 to verify operations performed by udev. This turns on
    # additional checks (and if necessary, repairs) on entries in the device
    # directory after udev has completed processing its events. 
    # Useful for diagnosing problems with LVM2/udev interactions.
    verify_udev_operations = 1


***

> > I believe " cryptsetup " does not use the LVM tools. But has a new device
> > created by the kernel directly, which should be picked up by a device
> > manager directly.
> 
>   But cryptsetup pulls in lvm2 as a dependancy...
> 
> [d531][waltdnes][~] emerge -pv cryptsetup
> 
> These are the packages that would be merged, in order:
> 
> Calculating dependencies... done!
> [ebuild  N     ] sys-fs/lvm2-2.02.103  USE="readline (-clvm) (-cman) -lvm1
> -lvm2create_initrd (-selinux) -static -static-libs -thin -udev" 1,313 kB
> [ebuild  N     ] sys-fs/cryptsetup-1.6.2  USE="openssl -gcrypt -kernel
> -nettle -nls -python -reencrypt -static -static-libs -udev -urandom"
> PYTHON_SINGLE_TARGET="python2_7 -python2_6" PYTHON_TARGETS="python2_7
> -python2_6" 1,162 kB

You need it for the device-mapper stuff. That might also listen to the above 
setting in /etc/lvm/lvm.conf.

Can you try setting the above one to " 0" and re-test?
I don't have any machine with mdev to test myself.

Also, the following page seems to indicate cryptsetup, LVM and mdev do work 
together:
http://jootamam.net/howto-basic-cryptsetup.htm
This works inside an initramfs and I don't see a reason why it can't work 
outside of the initramfs.

--
Joost

Re: [gentoo-user] Problems with loop-aes

[Alon Bar-Lev]

On Wed, May 7, 2014 at 7:36 AM, Walter Dnes <waltdnes@waltdnes.org> wrote:
>
> On Wed, May 07, 2014 at 12:50:53AM +0300, Alon Bar-Lev wrote
> > Checkout[1]
> >
> > [1]
> > http://alonbl.shoutwiki.com/wiki/Gentoo/Linux_Disk_Encryption_Using_LoopAES_And_SmartCards
>
>   Unfortunately, 90% of the wiki entry is irrelavant to my situation.
> It's aimed at encrypting the entire machine, and making it bootable with
> initramfs.  I just need to encrypt a USB key.

Encrypting USB key without booting from it?

>   I see that it also says to build various stuff with the "static" USE
> flag.  I assume this is for an initramfs boot.  Looking at the ebuild, I
> see that it strongly suggests static-libs builds for a whole bunch of
> stuff.  I don't know if this is required in all cases, or simply for
> booting from an encrypted disk...
>
> LIB_DEPEND="dev-libs/libgpg-error[static-libs(+)]
>         dev-libs/popt[static-libs(+)]
>         sys-apps/util-linux[static-libs(+)]
>         gcrypt? ( dev-libs/libgcrypt:0[static-libs(+)] )
>         nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] )
>         openssl? ( dev-libs/openssl[static-libs(+)] )
>         sys-fs/lvm2[static-libs(+)]
>         sys-libs/e2fsprogs-libs[static-libs(+)]
>         udev? ( virtual/udev[static-libs(+)] )"
>
>   Also interesting is that this webpage recommends *NO* loop support in
> the kernel.  This may be important, i.e. loop-aes may provide the
> support, and clash with the kernel code.  Time to head off to bed
> tonight.  I'll try again in the morning.

Correct. If you want to use loop-aes you must disable the kernel loop,
this is how things are done.

Alon

[gentoo-user] [SOLVED] Running cryptsetup under mdev

[Walter Dnes]

On Wed, May 07, 2014 at 08:11:02AM +0200, J. Roeleveld wrote
> On Tuesday, May 06, 2014 05:34:52 PM Walter Dnes wrote:
> > 
> >   Unfortunately, mdev != udev.  People running RAID have problems too.
> 
> I know it isn't. I just find it strange that LVM can't work without
> udev when I see options which configure the LVM-tools to either
> double-check udevs actions or even completely bypass udev:

  Thanks for the pointer.  After turning off the udev-related options in
lvm.conf, I'm getting /dev/mapper device nodes as expected.  I still
can't get cryptsetup to work with LUKS, but it works fine *WITHOUT* LUKS
as per instructions at http://sleepyhead.de/howto/?href=cryptpart#woluks
In my case, the initial setup was...

cryptsetup -y create usbkey1 /dev/sdb1
mkfs.ext2 /dev/mapper/usbkey1
mount -t ext2 /dev/mapper/usbkey1 /mnt/usbkey1
umount /mnt/usbkey1
cryptsetup remove usbkey1

...and subsequent sessions...

cryptsetup -y create usbkey1 /dev/sdb1
mount -t ext2 /dev/mapper/usbkey1 /mnt/usbkey1
...do whatever...
umount /mnt/usbkey1
cryptsetup remove usbkey1

  The setup and teardown commands have to be done as root, but I've
chowned /mnt/usbkey1 to waltdnes:users and confirmed that I can create
and delete files and directories as a regular user.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev

[J. Roeleveld]

On 7 May 2014 20:11:10 CEST, Walter Dnes <waltdnes@waltdnes.org> wrote:
>On Wed, May 07, 2014 at 08:11:02AM +0200, J. Roeleveld wrote
>> On Tuesday, May 06, 2014 05:34:52 PM Walter Dnes wrote:
>> > 
>> >   Unfortunately, mdev != udev.  People running RAID have problems
>too.
>> 
>> I know it isn't. I just find it strange that LVM can't work without
>> udev when I see options which configure the LVM-tools to either
>> double-check udevs actions or even completely bypass udev:
>
> Thanks for the pointer.  After turning off the udev-related options in
>lvm.conf, I'm getting /dev/mapper device nodes as expected.

That is good. Now if only mdadm can be confirmed to work with mdev. I could try it on one of my machines. 

>  I still
>can't get cryptsetup to work with LUKS, but it works fine *WITHOUT*
>LUKS
>as per instructions at
>http://sleepyhead.de/howto/?href=cryptpart#woluks
>In my case, the initial setup was...
>
>cryptsetup -y create usbkey1 /dev/sdb1
>mkfs.ext2 /dev/mapper/usbkey1
>mount -t ext2 /dev/mapper/usbkey1 /mnt/usbkey1
>umount /mnt/usbkey1
>cryptsetup remove usbkey1
>
>...and subsequent sessions...
>
>cryptsetup -y create usbkey1 /dev/sdb1
>mount -t ext2 /dev/mapper/usbkey1 /mnt/usbkey1
>...do whatever...
>umount /mnt/usbkey1
>cryptsetup remove usbkey1
>
>  The setup and teardown commands have to be done as root, but I've
>chowned /mnt/usbkey1 to waltdnes:users and confirmed that I can create
>and delete files and directories as a regular user.

The create and remove commands with LUKS also require root. They use a session manager in desktop environments to allow users to do it. Sudo with a secure wrapper script might be sufficient for you?

I was wondering. What is the actual reason why cryptsetup has a LUKS and non-LUKS set of options?

--
Joost


-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1251 bytes --]

On Wed, 07 May 2014 20:57:29 +0200 J. Roeleveld wrote:
> On 7 May 2014 20:11:10 CEST, Walter Dnes <waltdnes@waltdnes.org>
> wrote:
> >On Wed, May 07, 2014 at 08:11:02AM +0200, J. Roeleveld wrote
> >> On Tuesday, May 06, 2014 05:34:52 PM Walter Dnes wrote:
> >> > 
> >> >   Unfortunately, mdev != udev.  People running RAID have
> >> > problems
> >too.
> >> 
> >> I know it isn't. I just find it strange that LVM can't work
> >> without udev when I see options which configure the LVM-tools
> >> to either double-check udevs actions or even completely bypass
> >> udev:
> >
> > Thanks for the pointer.  After turning off the udev-related
> > options in
> >lvm.conf, I'm getting /dev/mapper device nodes as expected.
> 
> That is good. Now if only mdadm can be confirmed to work with
> mdev. I could try it on one of my machines. 

And what is the problem with mdadm with mdev? I have such setup:
nothing special here and works fine.

Just to speed up device lookup:

$ grep -v ^# /etc/mdadm.conf 
DEVICE /dev/sd*

And here we go:

$ cat /proc/mdstat 
Personalities : [raid10] 
md0 : active raid10 sdd[3] sdf[2]
      2930265088 blocks super 1.2 256K chunks 2 far-copies [2/2] [UU]

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev

[J. Roeleveld]

On Thursday, May 08, 2014 02:36:29 PM Andrew Savchenko wrote:
> On Wed, 07 May 2014 20:57:29 +0200 J. Roeleveld wrote:
> > On 7 May 2014 20:11:10 CEST, Walter Dnes <waltdnes@waltdnes.org>
> > 
> > wrote:
> > >On Wed, May 07, 2014 at 08:11:02AM +0200, J. Roeleveld wrote
> > >
> > >> On Tuesday, May 06, 2014 05:34:52 PM Walter Dnes wrote:
> > >> >   Unfortunately, mdev != udev.  People running RAID have
> > >> > 
> > >> > problems
> > >
> > >too.
> > >
> > >> I know it isn't. I just find it strange that LVM can't work
> > >> without udev when I see options which configure the LVM-tools
> > >> to either double-check udevs actions or even completely bypass
> > > 
> > >> udev:
> > > Thanks for the pointer.  After turning off the udev-related
> > > options in
> > >
> > >lvm.conf, I'm getting /dev/mapper device nodes as expected.
> > 
> > That is good. Now if only mdadm can be confirmed to work with
> > mdev. I could try it on one of my machines.
> 
> And what is the problem with mdadm with mdev?

Only that Walter mentioned that people with Raid have issues too.

> I have such setup:
> nothing special here and works fine.
> 
> Just to speed up device lookup:
> 
> $ grep -v ^# /etc/mdadm.conf
> DEVICE /dev/sd*
> 
> And here we go:
> 
> $ cat /proc/mdstat
> Personalities : [raid10]
> md0 : active raid10 sdd[3] sdf[2]
>       2930265088 blocks super 1.2 256K chunks 2 far-copies [2/2] [UU]

Do the devices get created correctly in /dev as well?

Many thanks,

Joost

Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev

[Matti Nykyri]

On May 7, 2014, at 21:57, "J. Roeleveld" <joost@antarean.org> wrote:

> The create and remove commands with LUKS also require root. They use a session manager in desktop environments to allow users to do it. Sudo with a secure wrapper script might be sufficient for you?
> 
> I was wondering. What is the actual reason why cryptsetup has a LUKS and non-LUKS set of options?

Well that is of course to let you have the control over how the encryption is done.

In the kernel point of view the disk encryption is just bare encryption with the given parameters. These include the cipher (AES etc), the mode (CBC, CTR etc) and Initialization Vector (IV) creation (ESSIV etc) and last but not least the key that is used with the cipher. Now without LUKS cryptsetup just sets these parameters and you have to provide them each time to cryptsetup when you are using your encrypted volume.

With LUKS cryptsetup will store all these parameters in a binary format. By default this binary data is stored at the beginning of the disk. Kernel then only uses the remaining disk space for encryption. The binary data at the beginning of the disk is not encrypted because the setup would the be unreadable.

When you setup a LUKS partition, cryptsetup creates a random key used for encryption the partition. Using a random key for disk encryption is an absolute MUST! A hash of this key is stored in binary data to do key verification. By default a 128k salt is created for each password you wish to use to access the disk (anti forensics). The disk key is then encrypted with the salt and the password. The salt and the encrypted key is stored in the binary data.

If the salt is lost, the disk key is lost and recovery of your data is virtually impossible with only your password. With only the password it is impossible to decrypt the disk. If you have a backup of the disk key, with that key you can decrypt the disk without the password.

All the steps done by LUKS are necessary for a proper disk encryption! If you do not use LUKS you need to write your own software to do the necessary steps! Cryptsetup without LUKS uses just a plain hash function without a salt to derive disk key from your password. The entropy in this kind of key creation is not nearly enough for secure disk encryption!

Unless you know what you are doing use LUKS.

-- 
-Matti

Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev

[Matti Nykyri]

On May 7, 2014, at 21:57, "J. Roeleveld" <joost@antarean.org> wrote:

> I was wondering. What is the actual reason why cryptsetup has a LUKS and non-LUKS set of options?

And a short answer to the actual question :)

LUKS automates key creation and non-LUKS lets you do it manually.

Sorry for the long posts ;)

-- 
-Matti