Discussion:
unable to mount encrypted partitions created with drakdisk
simple w8
2012-03-21 00:57:47 UTC
Permalink
Hi,

I use sometimes to boo Windows, and if i need some file i use to mount
my /home encrypted partition using FreeOTFE (or TrueCrypt) to access
the files i need, but i saw today that the /home partition that was
created in mageia is not possible to mount with FreeOTFE or TrueCrypt.

But the /home partition created with mandriva drakdisk can be mounted
with those 2 applications, so seams that Mageia drakdisk isnt doing
something right.

I have already created a new partition with Mageia drakdisk just to be
sure, and yes is not possible to mount in Windows, says to recheck the
password os that is not a good encrypted partition, and the password
is correct.

Im used so far to access my encrypted partitions under Windows, but
with Mageia that apepars not to be possible, could anyone check this
and see if can be fixed?

TIA,
Pedro
David W. Hodgins
2012-03-21 01:36:33 UTC
Permalink
Post by simple w8
Hi,
I use sometimes to boo Windows, and if i need some file i use to mount
my /home encrypted partition using FreeOTFE (or TrueCrypt) to access
the files i need, but i saw today that the /home partition that was
created in mageia is not possible to mount with FreeOTFE or TrueCrypt.
But the /home partition created with mandriva drakdisk can be mounted
with those 2 applications, so seams that Mageia drakdisk isnt doing
something right.
That's likely a result of
https://bugs.mageia.org/show_bug.cgi?id=3092

With the default settings, cryptsetup uses cbc mode encryption,
which makes it much more likely that it can be cracked.

See http://clemens.endorphin.org/nmihde/nmihde-A4-os.pdf
for an explanation of how this is done.

In Mageia's diskdrake, the setting is overridden to use xts mode,
instead of cbc mode.

If you prefer to use the less secure method, in order
to keep it compatible with the windows applications, you'll
have to re-encrypt it manually with
cryptsetup luksFormat /dev/sd??.

Don't forget to backup the data first, as this will erase that
device.

Regards, Dave Hodgins
simple w8
2012-03-21 07:41:00 UTC
Permalink
Post by David W. Hodgins
Post by simple w8
Hi,
I use sometimes to boo Windows, and if i need some file i use to mount
my /home encrypted partition using FreeOTFE (or TrueCrypt) to access
the files i need, but i saw today that the /home partition that was
created in mageia is not possible to mount with FreeOTFE or TrueCrypt.
But the /home partition created with mandriva drakdisk can be mounted
with those 2 applications, so seams that Mageia drakdisk isnt doing
something right.
That's likely a result of
https://bugs.mageia.org/show_bug.cgi?id=3092
With the default settings, cryptsetup uses cbc mode encryption,
which makes it much more likely that it can be cracked.
See http://clemens.endorphin.org/nmihde/nmihde-A4-os.pdf
for an explanation of how this is done.
In Mageia's diskdrake, the setting is overridden to use xts mode,
instead of cbc mode.
If you prefer to use the less secure method, in order
to keep it compatible with the windows applications, you'll
have to re-encrypt it manually with
cryptsetup luksFormat /dev/sd??.
Don't forget to backup the data first, as this will erase that
device.
Regards, Dave Hodgins
Thanks for the clarification, and was a very good improvement :)

But i think it would be better to have in diskdrake some option
allowing the user to choose the cypher, since the default cypher used
in cryptsetup and in other apps that support luks, is cbc, and this
way diskdrake is putting it incompatible with remaning apps that
support luks.

This way the user could be informed about whats happening and also
would have a choice, that would be great and would in fact increase
diskdrake popularity.
David W. Hodgins
2012-03-22 03:23:21 UTC
Permalink
Post by simple w8
But i think it would be better to have in diskdrake some option
allowing the user to choose the cypher, since the default cypher used
in cryptsetup and in other apps that support luks, is cbc, and this
way diskdrake is putting it incompatible with remaning apps that
support luks.
Agreed. Go ahead and write a patch! :-)

Sorry, but my perl knowledge is very limited. Looking through the
code, I can usually figure out what it's doing, I was able to
create the patch that simply added the --cipher option to the existing
code in diskdrake, but altering the dialog to add selection of which
cipher to use, would probably take me a very long time.

You should probably open an enhancement bug report, requesting the
change, that can then be assigned to the diskdrake maintainer.

Btw, I had no idea that luks encryption was compatible with truecrypt.
Thanks for that info.

Regards, Dave Hodgins
simple w8
2012-03-28 23:00:04 UTC
Permalink
Post by David W. Hodgins
Post by simple w8
Hi,
I use sometimes to boo Windows, and if i need some file i use to mount
my /home encrypted partition using FreeOTFE (or TrueCrypt) to access
the files i need, but i saw today that the /home partition that was
created in mageia is not possible to mount with FreeOTFE or TrueCrypt.
But the /home partition created with mandriva drakdisk can be mounted
with those 2 applications, so seams that Mageia drakdisk isnt doing
something right.
That's likely a result of
https://bugs.mageia.org/show_bug.cgi?id=3092
With the default settings, cryptsetup uses cbc mode encryption,
which makes it much more likely that it can be cracked.
See http://clemens.endorphin.org/nmihde/nmihde-A4-os.pdf
for an explanation of how this is done.
In Mageia's diskdrake, the setting is overridden to use xts mode,
instead of cbc mode.
Something is not right, Free-OTFE says is does support xts but its not
being able to mount the partitions encrypted in Mageia, what can be
the cause?

You may see the FreeOTFE supported cypher modes here:
http://www.freeotfe.org/docs/Main/Linux_volumes.htm
simple w8
2012-03-29 01:40:36 UTC
Permalink
Post by simple w8
Post by David W. Hodgins
Post by simple w8
Hi,
I use sometimes to boo Windows, and if i need some file i use to mount
my /home encrypted partition using FreeOTFE (or TrueCrypt) to access
the files i need, but i saw today that the /home partition that was
created in mageia is not possible to mount with FreeOTFE or TrueCrypt.
But the /home partition created with mandriva drakdisk can be mounted
with those 2 applications, so seams that Mageia drakdisk isnt doing
something right.
That's likely a result of
https://bugs.mageia.org/show_bug.cgi?id=3092
With the default settings, cryptsetup uses cbc mode encryption,
which makes it much more likely that it can be cracked.
See http://clemens.endorphin.org/nmihde/nmihde-A4-os.pdf
for an explanation of how this is done.
In Mageia's diskdrake, the setting is overridden to use xts mode,
instead of cbc mode.
Something is not right, Free-OTFE says is does support xts but its not
being able to mount the partitions encrypted in Mageia, what can be
the cause?
http://www.freeotfe.org/docs/Main/Linux_volumes.htm
I have been looking to the supported cyphers and hashes in FreeOTFE
and i see that the cypher XTS with keysize 512 is not supported,
however supports keysizes 128,192,256 and 1024.

You have chosen thekeysize 512 thats the one is not supported under
the FreeOTFE project...
Isnt possible to change the keysize to a value that can be supported
under Windows?
David W. Hodgins
2012-03-30 07:41:43 UTC
Permalink
Post by simple w8
You have chosen thekeysize 512 thats the one is not supported under
the FreeOTFE project...
Isnt possible to change the keysize to a value that can be supported
under Windows?
Yes. Test what works on your own system, then open a bug report asking
for the change. Just don't use cbc, as it's too insecure.

Regards, Dave Hodgins
simple w8
2012-04-13 18:36:11 UTC
Permalink
Post by David W. Hodgins
Post by simple w8
You have chosen thekeysize 512 thats the one is not supported under
the FreeOTFE project...
Isnt possible to change the keysize to a value that can be supported
under Windows?
Yes. Test what works on your own system, then open a bug report asking
for the change.  Just don't use cbc, as it's too insecure.
Regards, Dave Hodgins
It would be better if you could do those tests since your far in a
better position and have more knowledges in that area to safely say
what is the best option to use thats also supported by FreeOTFE :)
David W. Hodgins
2012-03-29 02:22:42 UTC
Permalink
Post by simple w8
Something is not right, Free-OTFE says is does support xts but its not
being able to mount the partitions encrypted in Mageia, what can be
the cause?
We're using --cipher aes-xts-benbi --key-size 512.

As per http://www.ody.ca/~dwhodgins/Luks-Howto.html#Changelog
this was suggested to me several years ago, and is what I've been
using since then.
Post by simple w8
http://www.freeotfe.org/docs/Main/Linux_volumes.htm
I wasn't aware luks encrypted volumes could be opened by anything
else, or I would have considered that when suggesting the cipher
change.

I don't think using the benbi initial vector generation algorithm (64 bit)
instead of the plain (32 bit) algorithm makes much of a difference,
in terms of security. It was just the cbc mode that I was concerned
with.

Can you modify /usr/lib/libDrakX/fs/dmcrypt.pm to use aes-xts-plain
(line 68), create an encrypted volume, and test it with freeotfe?
If that works, open a bug report and request the change.

Regards, Dave Hodgins
Loading...