Bug#614808: O: loop-aes - loop-AES encryption modules
Hi Ian,
On Thu, Feb 24, 2011 at 02:26:01PM +0000, Ian Jackson wrote:
> Max Vozeler writes ("Bug#614808: O: loop-aes - loop-AES encryption modules"):
> > loop-aes has an active and helpful upstream maintainer
> > and quite a few users.
>
> Why are these people not using dm-crypt and luks ?
Good question. I can only speculate:
The block encryption mode offered by loop-aes was more robust than
any of the alternatives at the time (cryptoloop) - this remained the
case until dm-crypt gained alternative IV generators such as essiv.
The nicely integrated setup which allowed to setup encryption in
/etc/fstab and use mount, swapon etc along with the indeed very good
documentation probably plays a role as well.
Today most of that no longer applies, so I guess the main reason
besides inertia is that people have existing encrypted volumes that
they want to use - and could do that only using loop-aes.
> These are serious questions, not rhetorical ones. If there's a good
> answer, fine. Otherwise perhaps we should think about a compatibility
> wrapper or something.
Makes sense to me.
I started to work on an implementation of the loop-aes block
encryption modes for dm-crypt which was picked up by Milan Broz
and recently got merged in mainline Linux for 2.6.38.
This is still no full replacement for loop-aes, but already goes
most of the way. What is still needed is a robust key derivation
tool which takes a GPG keyfile as input and formats the key in such
a way that it can be fed to dm-crypt.
I hacked together a first rough version which is available here
http://hinterhof.net/~max/keyderive-0.1.tar.gz
> > It provides measures to strengthen
> > the encryption: Passphrase seeds, multiple hash iterations, MD5 IV
> > and use of alternating encryption keys.
>
> With dm-crypt these things can be done in userspace, and cryptsetup's
> LUKS facilities would seem to be adequate to meet these objectives.
> (Assuming by "alternating" we mean "alternative".)
This can all be done with dm-crypt today.
Alternating is meant to describe a mechanism for using multiple
keys (a set of 64 in the case of loop-aes v2/v3) to encrypt each of
the blocks within a sector with a different key.
This, too, recently got upstream (d1f9642381847e2b9) and will be
available in 2.6.38.
> > Encryption keys can be stored in a GnuPG-encrypted keyfile, which
> > allows the passphrase to be changed without re-encryption. Keyfiles
> > can also be encrypted asymmetrically for multi-user access.
>
> cryptsetup does not have these features but surely they can be made to
> work with dm-crypt.
I think it shouldn't be hard to implement as a cryptsetup key
script that takes such a GnuPG-format keyfile and uses a keyderive
tool to produce the dm-crypt format key.
> Can loop-aes's on-disk bulk data format be emulated with dm-crypt ?
As above, the short answer is: yes, use 2.6.38+ dm-crypt with the
mode "aes:64-cbc-lmk".
The longer answer is: With a bit of work on a key derivation tool
and a suitable cryptsetup key script one could build an alternative
that will allow to use existing loop-aes volumes with dm-crypt.
I am not motivated to work on that myself right now. But if anyone
wants to do it, I am happy to help.
Max
Reply to: