PDA

View Full Version : Problems with encrypted loop-device

phaas
20th March 2005, 12:24 PM
Hi there!

I've been unsuccesfully trying to setup an encrypted loop-device using an image on my harddrive.
I use the 'losetup' program on a default fedora core 3 installation.
This is what i've tried and what went wrong:

bash-3.00$ dd bs=1024 count=5k if=/dev/zero of=image
5120+0 records in
5120+0 records uit
bash-3.00$ su
Password:
[root@localhost]# /sbin/modprobe cryptoloop
[root@localhost]# /sbin/modprobe aes-i586
[root@localhost]# /sbin/losetup -e aes256 image /dev/loop0
Password:
ioctl: LOOP_SET_FD: Inappropriate ioctl for device
[root@localhost]#


Bang, thats all I get.
I've read this (http://linuxfromscratch.org/~devine/erfs-howto.html) document, but I think I'm hopeless stuck atm.
Does someone have experience with this?
mungoose
24th March 2005, 09:49 PM
First of all you need to load that stuff plus loop in this order

modprobe aes-i586
modprobe cryptoloop
modprobe loop

You can do that automagical by producing a new initrd image as user root - example for kernel-2.6.10-1.770_FC3smp
mkinitrd --with=aes-i586 --with=cryptoloop --with=loop /boot/initrd-2.6.10-1.770_FC3smp_crypto.img 2.6.10-1.770_FC3smp

In grub.conf you simply copy the regular entries for the booting kernel below the original entry. Thank you rename the copied one to Fedora Core Crypto (....) and change the initrd line to read initrd-2.6.10-1.770_FC3smp_crypto.img instead of initrd-2.6.10-1.770_FC3smp.img
Comment out the hidemenu entry in top of grub.conf and now you have the option to boot into either the regular kernel procedure or the on that loads the crypto modules.

Next when it comes to the password you are most probably using one that is loger than 16 Hex digits. The util-linux package that comes with FDCx does not contain the loop-aes patch. So you are limited here and you have an losetup program that does not recognize the -S switch.

Although when trying to encrypt the whole root system the Red Hat nash program used with initrd has a build in losetup 'feature'. Such losetup is not capable of handling drives or partitions to be used on /dev/loop0 as it seems to support encrypted file images only.
mungoose
24th March 2005, 09:51 PM

And I forgot. FDC 3 losetup does not allow the use of -e aes256 because it misses the above mentioned patch. It allows to use -e aes.
phaas
25th March 2005, 08:52 AM
Thank you, it works fine now.
A few questions though:
- Is using -e aes as strong as using -e aes256? Thus, it is still aes 256bit?
- I don't get what you mean with the max. password length. When I enter 30 characters I still don't get an error message...
- Is it possible to install the patched version of losetup on FC3?

Thanks again!