On 2014-12-28 03:03, Carlos E. R. wrote:
> On 2014-12-28 02:16, purevw wrote:
>
>> Thanks for the information. It seems that what I want to do may not be
>> possible with current tools.
>
> As far as I know it may be possible, but not automatically.
>
> /dev/sdXY -> apply crypt one -> get /dev/mapper/cr_1st ->
> apply crypt two -> get /dev/mapper/cr_2nd
>
> etc, as many times as you want. But you have to handle the sequence
> yourself.
Testing the procedure:
create empty 1 GB file:
Telcontar:/data/storage_c/tmp_borrar # dd if=/dev/zero of=crypta bs=1M count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB) copied, 5.11283 s, 205 MB/s
Telcontar:/data/storage_c/tmp_borrar #
create a loop device for testing, using that file:
Telcontar:/data/storage_c/tmp_borrar # losetup /dev/loop7 crypta
losetup: /dev/loop7: failed to set up loop device: No such file or directory
Telcontar:/data/storage_c/tmp_borrar # modprobe loop
Telcontar:/data/storage_c/tmp_borrar # losetup /dev/loop7 crypta
Telcontar:/data/storage_c/tmp_borrar # losetup -d /dev/loop7
Telcontar:/data/storage_c/tmp_borrar # losetup /dev/loop7 crypta
Telcontar:/data/storage_c/tmp_borrar #
Create encrypted device using that loop device:
Telcontar:/data/storage_c/tmp_borrar # cryptsetup -v --key-size 256 luksFormat /dev/loop7
WARNING!
========
This will overwrite data on /dev/loop7 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Command successful.
Telcontar:/data/storage_c/tmp_borrar #
Check it:
Telcontar:/data/storage_c/tmp_borrar # losetup -a
/dev/loop7: [66304]:3221269075 (/data/storage_c/tmp_borrar/crypta)
Telcontar:/data/storage_c/tmp_borrar #
Telcontar:/data/storage_c/tmp_borrar # cryptsetup luksDump /dev/loop7
LUKS header information for /dev/loop7
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: 94 e4 e4 66 cb 2f b8 5d 50 73 0d ae 93 b6 d9 0c c5 37 cf c2
MK salt: 57 23 e9 13 25 20 2b f1 7d 9d b4 92 5d 29 0f 60
fa 4d ba 16 a1 26 3c f4 1b 7d 27 23 5b d7 ae c0
MK iterations: 46500
UUID: 6d9f6e56-c079-41dc-8de9-d18632a514bb
Key Slot 0: ENABLED
Iterations: 182335
Salt: 22 a5 ad 05 97 18 c6 4e d1 5b 9d 00 b0 59 ec 0e
06 1a 0d 92 c8 5f f4 f9 ae 1e bb 80 4c 23 89 21
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Telcontar:/data/storage_c/tmp_borrar #
Open or activate the encrypted device:
Telcontar:/data/storage_c/tmp_borrar # cryptsetup luksOpen /dev/loop7 cr_nombre
Enter passphrase for /data/storage_c/tmp_borrar/crypta:
Telcontar:/data/storage_c/tmp_borrar # cryptsetup status /dev/mapper/cr_nombre
/dev/mapper/cr_nombre is active.
type: LUKS1
cipher: aes-xts-plain64
keysize: 256 bits
device: /dev/loop7
loop: /data/storage_c/tmp_borrar/crypta
offset: 4096 sectors
size: 2043904 sectors
mode: read/write
Telcontar:/data/storage_c/tmp_borrar #
Check it:
Telcontar:/data/storage_c/tmp_borrar # file -s /dev/mapper/cr_nombre
/dev/mapper/cr_nombre: symbolic link to `../dm-2'
Telcontar:/data/storage_c/tmp_borrar # cryptsetup status cr_nombre
/dev/mapper/cr_nombre is active.
type: LUKS1
cipher: aes-xts-plain64
keysize: 256 bits
device: /dev/loop7
loop: /data/storage_c/tmp_borrar/crypta
offset: 4096 sectors
size: 2043904 sectors
mode: read/write
Telcontar:/data/storage_c/tmp_borrar # file -s /dev/dm-2
/dev/dm-2: data
Telcontar:/data/storage_c/tmp_borrar #
Second layer attempt.
Telcontar:/data/storage_c/tmp_borrar # cryptsetup -v --key-size 256 luksFormat --cipher aes-cbc-essiv /dev/mapper/cr_nombre
WARNING!
========
This will overwrite data on /dev/mapper/cr_nombre irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
device-mapper: reload ioctl on failed: Invalid argument
Failed to open temporary keystore device.
device-mapper: remove ioctl on temporary-cryptsetup-8521 failed: No such device or address
device-mapper: reload ioctl on temporary-cryptsetup-8521 failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-8521 failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-8521 failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-8521 failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-8521 failed: No such device or address
Command failed with code 5: Input/output error
Telcontar:/data/storage_c/tmp_borrar # file /dev/mapper/cr_nombre
/dev/mapper/cr_nombre: symbolic link to `../dm-2'
Telcontar:/data/storage_c/tmp_borrar # file /dev/dm-2
/dev/dm-2: block special
Telcontar:/data/storage_c/tmp_borrar #
Log:
(cipher aes)
<0.3> 2014-12-31 14:49:59 Telcontar kernel - - - [728137.840264] device-mapper: table: 253:3: crypt: Error allocating crypto tfm
<0.4> 2014-12-31 14:49:59 Telcontar kernel - - - [728137.840268] device-mapper: ioctl: error adding target to table
(cipher aes-cbc-essiv)
<0.3> 2014-12-31 14:50:59 Telcontar kernel - - - [728198.060452] device-mapper: table: 253:3: crypt: Error creating IV
<0.4> 2014-12-31 14:50:59 Telcontar kernel - - - [728198.060456] device-mapper: ioctl: error adding target to table
With keysize 32, I get error
<0.3> 2014-12-31 14:58:20 Telcontar kernel - - - [728638.764782] device-mapper: table: 253:3: crypt: Error decoding and setting key
<0.4> 2014-12-31 14:58:20 Telcontar kernel - - - [728638.764785] device-mapper: ioctl: error adding target to table
Guesses:
wrong cipher (I have always used the default one, and the manual is not clear on available ones).
wrong device? Should it be a mounted filesystem?
The device exists and is writeable:
Telcontar:/data/storage_c/tmp_borrar # dd if=/dev/zero of=/dev/mapper/cr_nombre bs=1M count=900
900+0 records in
900+0 records out
943718400 bytes (944 MB) copied, 5.88488 s, 160 MB/s
Telcontar:/data/storage_c/tmp_borrar #
Concept test of second layer with the same default cipher:
Telcontar:/data/storage_c/tmp_borrar # cryptsetup -v --key-size 256 luksFormat /dev/mapper/cr_nombre
WARNING!
========
This will overwrite data on /dev/mapper/cr_nombre irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Command successful.
Telcontar:/data/storage_c/tmp_borrar #
Works. So the problem is the syntax. Check
Telcontar:/data/storage_c/tmp_borrar # cryptsetup status cr_nombre
/dev/mapper/cr_nombre is active and is in use.
type: LUKS1
cipher: aes-xts-plain64
keysize: 256 bits
device: /dev/loop7
loop: /data/storage_c/tmp_borrar/crypta
offset: 4096 sectors
size: 2043904 sectors
mode: read/write
Telcontar:/data/storage_c/tmp_borrar # cryptsetup status cr_nombre_dos
/dev/mapper/cr_nombre_dos is active.
type: LUKS1
cipher: aes-xts-plain64
keysize: 256 bits
device: /dev/mapper/cr_nombre
offset: 4096 sectors
size: 2039808 sectors
mode: read/write
Telcontar:/data/storage_c/tmp_borrar #
See? double encryption.
Telcontar:/data/storage_c/tmp_borrar # dd if=/dev/zero of=/dev/mapper/cr_nombre_dos bs=1M count=900
900+0 records in
900+0 records out
943718400 bytes (944 MB) copied, 6.37297 s, 148 MB/s
Telcontar:/data/storage_c/tmp_borrar #
And it is writeable. I skip demonstrating how to mount it, that’s trivial - but not automatic.
Next step would be writing suitable entries in fstab and /etc/crypttab, and find out what happens on boot. I leave that to somebody else
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)