[dm-crypt] Truecrypt system partition support

[dm-crypt] Truecrypt system partition support

[Jan Janssen]

Hi,

I just stumbled upon truecrypt support in cryptsetup. It sounds nice,
but there is one big issue that prevents it from being useful in
situations where the truecrypt partition is encrypted using system mode
and other partitions on the drive are mounted/in use (such as dual boot
on a single drive system).

There is this small limitation that you have to specify the
whole device for opening tcrypt system devices. And the fact that 
tcryptOpen refuses to open if that device is mapped/mounted already
prevents me from using cryptsetup altogether for my truecrypt partition.

It would be nice if this could be fixed/worked around with.

Jan

Re: [dm-crypt] Truecrypt system partition support

[Milan Broz]

On 06/20/2013 12:03 PM, Jan Janssen wrote:
> Hi,
> 
> I just stumbled upon truecrypt support in cryptsetup. It sounds nice,
> but there is one big issue that prevents it from being useful in
> situations where the truecrypt partition is encrypted using system mode
> and other partitions on the drive are mounted/in use (such as dual boot
> on a single drive system).
> 
> There is this small limitation that you have to specify the
> whole device for opening tcrypt system devices. And the fact that 
> tcryptOpen refuses to open if that device is mapped/mounted already
> prevents me from using cryptsetup altogether for my truecrypt partition.
> 
> It would be nice if this could be fixed/worked around with.

Hi,

well, you are probably the first real user I know about who tried system encryption
truecrypt mapping :) So it is quite possible there are some problems.

Please can you describe exactly you configuration (I think I understand the problem
but exact description could be better.)
Why is main device used? Mapped/mounted other partition or something else?
Should be easy to fix I think (we have already --shared option for plain mode).

(If you are able to map it with normal truecrypt in Linux, output of lsblk
with encryption mapping active should be enough for me.)

Thanks,
Milan

Re: [dm-crypt] Truecrypt system partition support

[Jan Janssen]

On Thursday 20 June 2013 18:50:10 Milan Broz wrote:
> Hi,
> 
> well, you are probably the first real user I know about who tried system
> encryption truecrypt mapping :) So it is quite possible there are some
> problems.

That's probably because it's not well advertised. I found out about it by
accident and wanted to give it a try.

> Please can you describe exactly you configuration (I think I understand the
> problem but exact description could be better.)
> Why is main device used? Mapped/mounted other partition or something else?
> Should be easy to fix I think (we have already --shared option for plain
> mode).
> 
> (If you are able to map it with normal truecrypt in Linux, output of lsblk
> with encryption mapping active should be enough for me.)
> 
> Thanks,
> Milan

It's a simple single drive layout with a boot, windows and arch patition:
NAME           FSTYPE      LABEL   UUID                                 MOUNTPOINT
sda                                                                     
├─sda1         ext4        Boot    bdf8d95e-3a5a-4944-aff1-5ce8107ee679 /boot
├─sda2                                                                  
│ └─truecrypt1 ntfs        Windows 72682F78682F39ED                     /mnt/windows
└─sda3         crypto_LUKS         d998f50f-c40b-4d53-b683-90bd30da1272 
  └─system     ext4        Arch    52b8c62b-23df-4b07-875b-16da3cb0cb91 /

Also, it took me a while to figure out (thanks to the manpage) that you have
to use /dev/sda to open in system mode. It would be useful if cryptsetup
could either figure out where to look for its offset from /dev/sda2 like
the "real" truecrypt does or at least give a hint that in system mode the
drive should be used instead of the partition. Or maybe give the drive
to the system option like this:
    sudo cryptsetup --tcrypt-system=/dev/sda tcryptDump /dev/sda2

Jan

Re: [dm-crypt] Truecrypt system partition support

[Milan Broz]

Hi,

On 21.6.2013 15:58, Jan Janssen wrote:
> On Thursday 20 June 2013 18:50:10 Milan Broz wrote:
>> Hi,
>>
>> well, you are probably the first real user I know about who tried system
>> encryption truecrypt mapping :) So it is quite possible there are some
>> problems.
> 
> That's probably because it's not well advertised. I found out about it by
> accident and wanted to give it a try.

Yes, that's true.

The shared device for system encryption is fixed in devel git
http://code.google.com/p/cryptsetup/source/detail?r=a36de633d50d1e047cf5c0c3bc5e4d16a411fb62#

Please let me know if there is any other problem.

> Also, it took me a while to figure out (thanks to the manpage) that you have
> to use /dev/sda to open in system mode. It would be useful if cryptsetup
> could either figure out where to look for its offset from /dev/sda2 like
> the "real" truecrypt does or at least give a hint that in system mode the
> drive should be used instead of the partition.

Well, the Truecrypt header is not on partition for system encryption, it
is outside of it, that's why it is done this way.

Anyway, I added hint as well if header is not detected
http://code.google.com/p/cryptsetup/source/detail?r=42b0ab437a6ef332dd33e1eda144d2c3d9a70d23

I know automatic detection is better (and will work on Windows) but with Linux,
there can be virtualized systems where partition is used as "whole device"
for some Windows VM.
Also in some cases (LVM) it can be tricky to detect partitions and top level devices.

Also partition can be in different (security) context than the whole device.

Thanks!
Milan

Re: [dm-crypt] Truecrypt system partition support

[Jan Janssen]

On 06/23/2013 05:33 PM, Milan Broz wrote:
> Hi,
>
> The shared device for system encryption is fixed in devel git
> http://code.google.com/p/cryptsetup/source/detail?r=a36de633d50d1e047cf5c0c3bc5e4d16a411fb62#
>
> Please let me know if there is any other problem.

Still can't open it :(

    # sudo cryptsetup --tcrypt-system tcryptOpen /dev/sda windows
    device-mapper: reload ioctl on  failed: Invalid argument

The journal has some additional information:
kernel: device-mapper: table: 254:1: crypt: Device lookup failed
kernel: device-mapper: ioctl: error adding target to table

Also, something's off about the --key-file option with tcrypt. I can't
get it to accept my password from the file. But if I pipe it with cat
to stdin it works. Maybe it's supposed to be this way, but then I think
it needs extra mention in the manpage. And maybe there should be a way
to provide a --passphrase-file option or something along those lines
if the current handling is different to how its handled for luks.

Thanks
Jan

Re: [dm-crypt] Truecrypt system partition support

[Milan Broz]

On 23.6.2013 23:06, Jan Janssen wrote:
> On 06/23/2013 05:33 PM, Milan Broz wrote:
>> Hi,
>>
>> The shared device for system encryption is fixed in devel git
>> http://code.google.com/p/cryptsetup/source/detail?r=a36de633d50d1e047cf5c0c3bc5e4d16a411fb62#
>>
>> Please let me know if there is any other problem.
> 
> Still can't open it :(
> 
>     # sudo cryptsetup --tcrypt-system tcryptOpen /dev/sda windows
>     device-mapper: reload ioctl on  failed: Invalid argument
> 
> The journal has some additional information:
> kernel: device-mapper: table: 254:1: crypt: Device lookup failed
> kernel: device-mapper: ioctl: error adding target to table

Hm, seems like completely different problem. 
I cannot check whats going on without more information here, ideally
- cryptsetup output with --debug switch
- tcryptDump (mainly offsets and data sizes stored there)
- exact sizes of partitions (fdils -l -u, blockdev --getsz /dev/sda* or so)

(but please note it will provide some info which is hidden, do not send it
if it is problem :-)

Ideally I would like to reproduce it, for my encrypted VM on partition
it works.
How did you create this config? ANy manipulations with apartitions after
system reencryption?

> 
> Also, something's off about the --key-file option with tcrypt. I can't
> get it to accept my password from the file. But if I pipe it with cat
> to stdin it works. Maybe it's supposed to be this way, but then I think
> it needs extra mention in the manpage. And maybe there should be a way
> to provide a --passphrase-file option or something along those lines
> if the current handling is different to how its handled for luks.

So you are not using Truecrypt keyfile but just passphrase in file,
so pipe is the correct way. I thought it is explained in man page
but if not, it need some care. If you have some idea how to describe
it betrer, just send me a patch.
(And adding more otpion will cause even more chaos here :)

Thanks,
Milan

Re: [dm-crypt] Truecrypt system partition support

[Jan Janssen]

[-- Attachment #1: Type: text/plain, Size: 2738 bytes --]

On 06/24/2013 07:48 AM, Milan Broz wrote:
> Hm, seems like completely different problem.
> I cannot check whats going on without more information here, ideally
> - cryptsetup output with --debug switch
> - tcryptDump (mainly offsets and data sizes stored there)
> - exact sizes of partitions (fdils -l -u, blockdev --getsz /dev/sda* or so)
>
> (but please note it will provide some info which is hidden, do not send it
> if it is problem :-)

Hi,

here's the info. The open log is attached.

TCRYPT header information for /dev/sda
Version:        5
Driver req.:    7
Sector size:    512
MK offset:      106928640
PBKDF2 hash:    ripemd160
Cipher chain:   aes
Cipher mode:    xts-plain64
MK bits:        512

# for i in /dev/sda*; do echo -n "$i: "; sudo blockdev --getsz $i; done
/dev/sda: 120103200
/dev/sda1: 208782
/dev/sda2: 62701695
/dev/sda3: 57192660

# fdisk -l -u
Disk /dev/sda: 61.5 GB, 61492838400 bytes, 120103200 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000bfd29

    Device Boot      Start         End      Blocks   Id  System
/dev/sda1              63      208844      104391   83  Linux
/dev/sda2   *      208845    62910539    31350847+   7  HPFS/NTFS/exFAT
/dev/sda3        62910540   120103199    28596330   83  Linux

> Ideally I would like to reproduce it, for my encrypted VM on partition
> it works.
> How did you create this config? ANy manipulations with apartitions after
> system reencryption?

I did nothing peculiar to the system. Created the layout with gparted. I
did install grub2, but it also didn't work the truecrypt bootloader.

>>
>> Also, something's off about the --key-file option with tcrypt. I can't
>> get it to accept my password from the file. But if I pipe it with cat
>> to stdin it works. Maybe it's supposed to be this way, but then I think
>> it needs extra mention in the manpage. And maybe there should be a way
>> to provide a --passphrase-file option or something along those lines
>> if the current handling is different to how its handled for luks.
>
> So you are not using Truecrypt keyfile but just passphrase in file,
> so pipe is the correct way. I thought it is explained in man page
> but if not, it need some care. If you have some idea how to describe
> it betrer, just send me a patch.
> (And adding more otpion will cause even more chaos here :)

After re-reading it's a little clearer now. I still miss a way to
supply the passphrase in a file without resorting to piping it to stdin.
It's not an issue for luks since it allows passphrases and keyfiles
together, but truecrypt doesn't allow keyfiles in system mode.

Jan

[-- Attachment #2: tcrypt-open.log --]
[-- Type: text/x-log, Size: 3750 bytes --]

# cryptsetup 1.6.2-git processing "cryptsetup --debug --tcrypt-system tcryptOpen /dev/sda windows"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device /dev/sda context.
# Trying to open and read device /dev/sda.
# Initialising device-mapper backend library.
# STDIN descriptor passphrase entry requested.
# Trying to load TCRYPT crypt type from device /dev/sda.
# Crypto backend (gcrypt 1.5.2) initialized.
# Reading TCRYPT header of size 512 bytes from device /dev/sda.
# TCRYPT: trying KDF: pbkdf2-ripemd160-2000.
# TCRYPT:  trying cipher aes-xts-plain64
# TCRYPT:  trying cipher serpent-xts-plain64
# TCRYPT:  trying cipher twofish-xts-plain64
# TCRYPT:  trying cipher twofish-aes-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-aes-xts-plain64
# TCRYPT:  trying cipher aes-serpent-xts-plain64
# TCRYPT:  trying cipher aes-twofish-serpent-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-xts-plain64
# TCRYPT:  trying cipher aes-lrw-benbi
# TCRYPT:  trying cipher serpent-lrw-benbi
# TCRYPT:  trying cipher twofish-lrw-benbi
# TCRYPT:  trying cipher twofish-aes-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-aes-lrw-benbi
# TCRYPT:  trying cipher aes-serpent-lrw-benbi
# TCRYPT:  trying cipher aes-twofish-serpent-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-lrw-benbi
# TCRYPT:  trying cipher aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-cbc-tcrypt
# TCRYPT:  trying cipher twofish-cbc-tcrypt
# TCRYPT:  trying cipher twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher aes-serpent-cbci-tcrypt
# TCRYPT:  trying cipher aes-twofish-serpent-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-cbci-tcrypt
# TCRYPT:  trying cipher cast5-cbc-tcrypt
# TCRYPT:  trying cipher des3_ede-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-blowfish_le-aes-cbc-tcrypt
# TCRYPT: trying KDF: pbkdf2-ripemd160-1000.
# TCRYPT:  trying cipher aes-xts-plain64
# TCRYPT: Signature magic detected.
# TCRYPT: Header version: 5, req. 7, sector 512, mk_offset 106928640, hidden_size 0, volume size 32103267840
# TCRYPT: Header cipher aes-xts-plain64, key size 64
# Activating volume windows by volume key.
# dm version   OF   [16384] (*1)
# dm versions   OF   [16384] (*1)
# Detected dm-crypt version 1.12.1, dm-ioctl version 4.24.0.
# Device-mapper backend running with UDEV support enabled.
# dm status windows  OF   [16384] (*1)
# Calculated device size is 62701695 sectors (RW), offset 208845.
# Trying to activate TCRYPT device windows using cipher aes-xts-plain64.
# DM-UUID is CRYPT-TCRYPT-windows
# Udev cookie 0xd4df074 (semid 294912) created
# Udev cookie 0xd4df074 (semid 294912) incremented to 1
# Udev cookie 0xd4df074 (semid 294912) incremented to 2
# Udev cookie 0xd4df074 (semid 294912) assigned to CREATE task(0) with flags (0x0)
# dm create windows CRYPT-TCRYPT-windows OF   [16384] (*1)
# dm reload windows  OFW    [16384] (*1)
device-mapper: reload ioctl on  failed: Invalid argument
# Udev cookie 0xd4df074 (semid 294912) decremented to 1
# Udev cookie 0xd4df074 (semid 294912) incremented to 2
# Udev cookie 0xd4df074 (semid 294912) assigned to REMOVE task(2) with flags (0x0)
# dm remove windows  OFW    [16384] (*1)
# windows: Stacking NODE_DEL [verify_udev]
# Udev cookie 0xd4df074 (semid 294912) decremented to 1
# Udev cookie 0xd4df074 (semid 294912) waiting for zero
# Udev cookie 0xd4df074 (semid 294912) destroyed
# windows: Processing NODE_DEL [verify_udev]
# Releasing crypt device /dev/sda context.
# Releasing device-mapper backend.
# Unlocking memory.
Command successful.

Re: [dm-crypt] Truecrypt system partition support

[Milan Broz]

On 06/24/2013 03:55 PM, Jan Janssen wrote:

> Still can't open it 
>
>     # sudo cryptsetup --tcrypt-system tcryptOpen /dev/sda windows
>     device-mapper: reload ioctl on  failed: Invalid argument
>
> The journal has some additional information:
> kernel: device-mapper: table: 254:1: crypt: Device lookup failed
> kernel: device-mapper: ioctl: error adding target to table

Hi,

please can you try current git version?

I had to change logic and use map to partition instead
the whole device (because kernel will not allow such mapping).

(I am usually using images on disk for testing so that's why I did not
found this problem before - for loop and DM devices it worked.)

Thanks,
Milan

Re: [dm-crypt] Truecrypt system partition support

[Jan Janssen]

On 06/30/2013 11:11 AM, Milan Broz wrote:
> On 06/24/2013 03:55 PM, Jan Janssen wrote:
>
>> Still can't open it
>>
>>      # sudo cryptsetup --tcrypt-system tcryptOpen /dev/sda windows
>>      device-mapper: reload ioctl on  failed: Invalid argument
>>
>> The journal has some additional information:
>> kernel: device-mapper: table: 254:1: crypt: Device lookup failed
>> kernel: device-mapper: ioctl: error adding target to table
>
> Hi,
>
> please can you try current git version?
>
> I had to change logic and use map to partition instead
> the whole device (because kernel will not allow such mapping).
>
> (I am usually using images on disk for testing so that's why I did not
> found this problem before - for loop and DM devices it worked.)
>
> Thanks,
> Milan
>

Hi,

it's working now. yay! I'll see if I can make the cryptsetup logic of
systemd support tcrypt now. Hopefully, it'll give you some more
hamsters to test the code :D

Thanks,
Jan