Informática geek, matemáticas, pensamiento crítico y alguna otra cosa de vez en cuando.

2013-05-11

From cryptoloop to dm-crypt in Debian

I've been struggling with it for a while and finally found the solution. I was using cryptoloop in Lenny and needed to migrate to Squeeze, from which cryptoloop is removed. The tutorials tell me to just use cryptsetup, but none of them mentions one important detail.

From the dm-crypt page:

The defaults [for cryptsetup] are aes with a 256 bit key, hashed using ripemd160. [...]

Migration from cryptoloop and compatibility

[...]

You'll need to figure out how your passphrase was turned into a key to use for losetup. [...]

That last one turned out to be very sound advice. My losetup man page says in the section about the -e (encryption) option:

AES128 AES
Use 128 bit AES encryption. Passphrase is hashed with SHA-256 by default.

Aaaaaah... so that was why the decryption wasn't correctly giving a mountable volume. Ok, there's a -h option to select the hash, and a -s option to select the cipher's block size which I already was using. Putting all together:

cryptsetup create -c aes -s 128 -h sha256 mappername devicename

finally did the trick and I could mount my encrypted device. The whole recipe to substitute mount -o loop,encryption=AES file mountpoint was:

modprobe dm-mod
losetup -f # outputs /dev/loopX to be used below
losetup /dev/loopX file
cryptsetup create -c aes -s 128 -h sha256 mappername /dev/loopX
mount /dev/mapper/mappername mountpoint

No comments: