[dm-crypt] "re-encrypting" ?

[dm-crypt] "re-encrypting" ?

[Steve Verniers]

[-- Attachment #1: Type: text/plain, Size: 414 bytes --]

Hi,

Just a quick question. I have encrypted my FS with cryptsetup and see it's
256bit but I found that it is too taxing on my systems resources (only
Pentium 4 machine with 2GB ram)  Could I "re-encrypt" the FS without loosing
the data which is already stored on it ?  I have no room to backup so much
space.

Also what would be a recommanded bit for a system such as mine ? 64bit ? 128
?

-- 
Kind Regards
Steve

[-- Attachment #2: Type: text/html, Size: 536 bytes --]

Re: [dm-crypt] "re-encrypting" ?

[wolfgang.aigner]

Hello Steve,

> I have encrypted my FS with cryptsetup and see it's
> 256bit but I found that it is too taxing on my systems resources (only
> Pentium 4 machine with 2GB ram)  Could I "re-encrypt" the FS without
> loosing
> the data which is already stored on it ?  I have no room to backup so much
> space.

Yes, but its always dangerous and you could loose all your data. Don't trust on that and do a backup. If it doesn't matter if you loose anything you could use: 
dd if=/dev/mapper/[cryptdevice] of=/dev/[device] conv=notrunc

Be aware this is DANGEROUS.
 
> Also what would be a recommanded bit for a system such as mine ? 64bit ?
> 128

You get a bit more Speed with 128 Bit AES, but still it is slower than withou encryption.

cheers
Wolfgang
-- 
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!		
Jetzt informieren: http://www.gmx.net/de/go/freephone

Re: [dm-crypt] "re-encrypting" ?

[Steve Verniers]

Hi wolfgang.  Thank you for your fast response.

What would 
> dd if=/dev/mapper/[cryptdevice] of=/dev/[device] conv=notrunc
Actually do then ?
Would it revert back to no encryption ? How would i convert the 256 bit encrypt to 128 ?

Thanks

Sent from my iPhone

On 14-aug.-2011, at 01:35, wolfgang.aigner@gmx.de wrote:

> Hello Steve,
> 
>> I have encrypted my FS with cryptsetup and see it's
>> 256bit but I found that it is too taxing on my systems resources (only
>> Pentium 4 machine with 2GB ram)  Could I "re-encrypt" the FS without
>> loosing
>> the data which is already stored on it ?  I have no room to backup so much
>> space.
> 
> Yes, but its always dangerous and you could loose all your data. Don't trust on that and do a backup. If it doesn't matter if you loose anything you could use: 
> dd if=/dev/mapper/[cryptdevice] of=/dev/[device] conv=notrunc
> 
> Be aware this is DANGEROUS.
> 
>> Also what would be a recommanded bit for a system such as mine ? 64bit ?
>> 128
> 
> You get a bit more Speed with 128 Bit AES, but still it is slower than withou encryption.
> 
> cheers
> Wolfgang
> -- 
> NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!        
> Jetzt informieren: http://www.gmx.net/de/go/freephone

Re: [dm-crypt] "re-encrypting" ?

[Heinz Diehl]

On 14.08.2011, Steve Verniers wrote: 

> How would i convert the 256 bit encrypt to 128 ?

Actually, you can't. You'll have to backup your data somewhere and 
luksFormat the partition with the new parameters. Besides, I doubt that
128 bit gives noticeably more speed than 256 bit, even if your system is
somewhat old.

Re: [dm-crypt] "re-encrypting" ?

[Roscoe]

On Sun, Aug 14, 2011 at 9:35 AM,  <wolfgang.aigner@gmx.de> wrote:
...
> Yes, but its always dangerous and you could loose all your data. Don't trust on that and do a backup. If it doesn't matter if you loose anything you could use:
> dd if=/dev/mapper/[cryptdevice] of=/dev/[device] conv=notrunc
...


This strikes me as poor advice for the following reasons:

- It's writing out plaintext directly to his hard disk, the exact
thing he doesn't want to happen

- He asked for a re-encryption solution

- It's riskier than it has to be, you're not even backing up the master key...


-- Roscoe

Re: [dm-crypt] "re-encrypting" ?

[Arno Wagner]

On Sat, Aug 13, 2011 at 11:18:15PM +0200, Steve Verniers wrote:
> Hi,
> 
> Just a quick question. I have encrypted my FS with cryptsetup and see it's
> 256bit but I found that it is too taxing on my systems resources (only
> Pentium 4 machine with 2GB ram) 

"256" bit does not say a lot about encryption speed. The most 
important facto is the cipher. Mode also plays a role.
If you look here:

http://blog.wpkg.org/2009/04/23/cipher-benchmark-for-dm-crypt-luks/

you will find that AES256 is close to the maximum speed you can 
get and AES128 is only about 20% faster. The perception limit
for computing speed changes is around 20%, i.e. it is possible
you would not even notice the change. 

It would seem that you will not get any significant speed improvement
by changing the cipher. Also note that you need to use cbc-essiv or 
xts mode at this time to be seucre, the others have data-leackage 
issues.

> Could I "re-encrypt" the FS without loosing
> the data which is already stored on it ?  I have no room to backup so much
> space.

You could, but there is a massive risk of complete data-loss. 
Don't do this without a full, verifed backup. If you have that
backup, you can just re-create the encrypted device and be done,
so I will not go into any bizzare solutions for doing this.

Side note, you need a full backup of the encrypted data anyways,
if it is worth anything, see also the FAQ. If you do not have 
a backup, I recommend just deleting all data and starting
over with an empty device, as your data is obviously not
worth anything.

> Also what would be a recommanded bit for a system such as 
> mine ? 64bit ? 128?

As a shorter key does not give significant speed
improvement, aes256-cbc-essiv or aes256-xts is close 
to optimal.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] "re-encrypting" ?

[Heinz Diehl]

On 14.08.2011, Arno Wagner wrote: 

> As a shorter key does not give significant speed
> improvement, aes256-cbc-essiv or aes256-xts is close 
> to optimal.

On my Intel Core i5 laptop, twofish is actually faster than AES..

Re: [dm-crypt] "re-encrypting" ?

[Arno Wagner]

On Sun, Aug 14, 2011 at 12:32:10PM +0200, Heinz Diehl wrote:
> On 14.08.2011, Arno Wagner wrote: 
> 
> > As a shorter key does not give significant speed
> > improvement, aes256-cbc-essiv or aes256-xts is close 
> > to optimal.
> 
> On my Intel Core i5 laptop, twofish is actually faster than AES..

It is on some architectures. It is also less secure.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] "re-encrypting" ?

[Kyle Rose]

[-- Attachment #1: Type: text/plain, Size: 1066 bytes --]

Really? You know of an attack on Twofish that reveals plaintext or
statistical information about the plaintext?
On Aug 14, 2011 8:23 AM, "Arno Wagner" <arno@wagner.name> wrote:
> On Sun, Aug 14, 2011 at 12:32:10PM +0200, Heinz Diehl wrote:
>> On 14.08.2011, Arno Wagner wrote:
>>
>> > As a shorter key does not give significant speed
>> > improvement, aes256-cbc-essiv or aes256-xts is close
>> > to optimal.
>>
>> On my Intel Core i5 laptop, twofish is actually faster than AES..
>
> It is on some architectures. It is also less secure.
>
> Arno
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
arno@wagner.name
> GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
> ----
> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
>
> If it's in the news, don't worry about it. The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

[-- Attachment #2: Type: text/html, Size: 1551 bytes --]

Re: [dm-crypt] "re-encrypting" ?

[Heinz Diehl]

On 14.08.2011, Arno Wagner wrote: 

> It is on some architectures. It is also less secure.

As far as I know, both Serpent and Twofish has shown to be more secure than 
Rijndael. However, Rijndael was choosen as the new AES because of its overall
qualities (speed on various architectures, simplicity..).

http://csrc.nist.gov/archive/aes/round2/comments/20000515-bschneier.pdf

Anyway, I doubt this is playing an important role since none of these algorithms
has been broken yet.

Re: [dm-crypt] "re-encrypting" ?

[Arno Wagner]

On Sun, Aug 14, 2011 at 03:12:08PM +0200, Heinz Diehl wrote:
> On 14.08.2011, Arno Wagner wrote: 
> 
> > It is on some architectures. It is also less secure.
> 
> As far as I know, both Serpent and Twofish has shown to be more secure than 
> Rijndael. However, Rijndael was choosen as the new AES because of its overall
> qualities (speed on various architectures, simplicity..).
> 
> http://csrc.nist.gov/archive/aes/round2/comments/20000515-bschneier.pdf
> 
> Anyway, I doubt this is playing an important role since none of these algorithms
> has been broken yet.

Indeed. One argument is that AES will get more scrutiny, as it is
more critical for the world. Typically it should not matter though.

Arno


> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] "re-encrypting" ?

[Wolfgang Aigner]

On Sunday, August 14, 2011 02:22:57 PM Arno Wagner wrote:
> On Sun, Aug 14, 2011 at 12:32:10PM +0200, Heinz Diehl wrote:
> > On 14.08.2011, Arno Wagner wrote:
> > > As a shorter key does not give significant speed
> > > improvement, aes256-cbc-essiv or aes256-xts is close
> > > to optimal.
> > 
> > On my Intel Core i5 laptop, twofish is actually faster than AES..
> 
> It is on some architectures. It is also less secure.
> 

Cryptgraphically the best know attack against truefish is as far as I 
know still 

http://www.schneier.com/paper-twofish-impossible.html

I'm also not aware of any implementation problems on "some architectures". The 
only think I can argue against twofish is, that there are not so many  
cryptographical analysisis against it as agains Rijndael.

Can  you bring any paper, article or other resource that supports your claim? 

cheers 
Wolfgang

Re: [dm-crypt] "re-encrypting" ?

[Wolfgang Aigner]

Hello Steve,

> What would
> > dd if=/dev/mapper/[cryptdevice] of=/dev/[device] conv=notrunc
> Actually do then ?
> Would it revert back to no encryption ? How would i convert the 256 bit
> encrypt to 128 ?

Ok, sorry for not be clear in the first mail. I thought you'd like to unencrypt 
the whole thing.

To reencrypt you get two cryptdevices for the same device:

 /dev/mapper/[cryptdevice-AES128]
 /dev/mapper/[cryptdevice-AES256]

and then do an 
dd if=/dev/mapper/[cryptdevice-AES256] of=/dev/[cryptdevice-AES128] \ 
conv=notrunc

And as wrote before, DON'T DO THIS IF DATA LOSS IS A PROBLEM for you. Ive done 
this many times and most times it worked fine, but you can't be sure.


> Hein Diehl wrote
> Actually, you can't. You'll have to backup your data somewhere and
> luksFormat the partition with the new parameters. Besides, I doubt that
> 128 bit gives noticeably more speed than 256 bit, even if your system is
> somewhat old.

Be aware, that doesn't work with LUKS devices, only with plain dm-crypt 
devices.

> Roscoe wrote
> This strikes me as poor advice for the following reasons:
> 
> - It's writing out plaintext directly to his hard disk, the exact
> thing he doesn't want to happen

you are right, as I wrote on top I thought he would like to unencrypt the 
whole device.

> - It's riskier than it has to be, you're not even backing up the master
> key...

As Heinz Diehl wrote, it doesn't work with LUKS Headers. Don't bother to make 
a backup for the keys ;-)
For dm-crypt devices you don't need a backup of you master key.

cheers 

Wolfgang

Re: [dm-crypt] "re-encrypting" ?

[Arno Wagner]

On Sun, Aug 14, 2011 at 07:46:23PM +0200, Wolfgang Aigner wrote:
> On Sunday, August 14, 2011 02:22:57 PM Arno Wagner wrote:
> > On Sun, Aug 14, 2011 at 12:32:10PM +0200, Heinz Diehl wrote:
> > > On 14.08.2011, Arno Wagner wrote:
> > > > As a shorter key does not give significant speed
> > > > improvement, aes256-cbc-essiv or aes256-xts is close
> > > > to optimal.
> > > 
> > > On my Intel Core i5 laptop, twofish is actually faster than AES..
> > 
> > It is on some architectures. It is also less secure.
> > 
> 
> Cryptgraphically the best know attack against truefish is as far as I 
> know still 
> 
> http://www.schneier.com/paper-twofish-impossible.html
> 
> I'm also not aware of any implementation problems on "some architectures". The 
> only think I can argue against twofish is, that there are not so many  
> cryptographical analysisis against it as agains Rijndael.

This is my claim. Also take into account that the NSA spent significant
time on AES, as the US economy depends on it. No such thing for 
twofish. 

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] "re-encrypting" ?

[Kyle Rose]

> This is my claim. Also take into account that the NSA spent significant
> time on AES, as the US economy depends on it. No such thing for
> twofish.

Then one right way to phrase your opinion is "The evidence suggests
that AES is at least as secure as Twofish, and the added scrutiny
gives me more confidence in it." Leaving out the extra words and
abbreviating this as "AES is more secure than Twofish" is an unfounded
assertion of fact, when in reality all you have is opinion and deeper
cryptanalysis. Until you find a way to break a symmetric cipher, it's
hard to say with any certainty whether it is more or less secure than
any other cipher with the same parameters (block size and key length).