* [dm-crypt] cryptesetup remove question
@ 2010-03-25 23:38 Jamaal Speights
2010-03-26 8:58 ` Milan Broz
0 siblings, 1 reply; 7+ messages in thread
From: Jamaal Speights @ 2010-03-25 23:38 UTC (permalink / raw)
To: dm-crypt
[-- Attachment #1: Type: text/plain, Size: 457 bytes --]
I am curious about the cryptsetup remove function and its purpose after
rebooting a system. Is my system still vulnerable to someone else mounting
my encrypted file if I don't remove the mapping before I reboot? When my
system comes back up I don't see the mapping in /dev/mapping/cryptfile .
Also if I do cryptsetup to mount the image again I have to re-enter the
password. So whats the point of using cryptsetup remove when shutting your
system down?
[-- Attachment #2: Type: text/html, Size: 481 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [dm-crypt] cryptesetup remove question
2010-03-25 23:38 [dm-crypt] cryptesetup remove question Jamaal Speights
@ 2010-03-26 8:58 ` Milan Broz
2010-03-29 20:21 ` Jamaal Speights
0 siblings, 1 reply; 7+ messages in thread
From: Milan Broz @ 2010-03-26 8:58 UTC (permalink / raw)
To: Jamaal Speights; +Cc: dm-crypt
On 03/26/2010 12:38 AM, Jamaal Speights wrote:
> I am curious about the cryptsetup remove function and its purpose after
> rebooting a system. Is my system still vulnerable to someone else
> mounting my encrypted file if I don't remove the mapping before I
> reboot? When my system comes back up I don't see the mapping in
> /dev/mapping/cryptfile . Also if I do cryptsetup to mount the image
> again I have to re-enter the password. So whats the point of using
> cryptsetup remove when shutting your system down?
Remove key from memory? (google coldboot attack)
Deactivate crypt mapping so underlying storage can safely deactivate
devices (LVM for example)?
Umount underlying filesystem if mappping is to file on it?
...
Milan
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [dm-crypt] cryptesetup remove question
2010-03-26 8:58 ` Milan Broz
@ 2010-03-29 20:21 ` Jamaal Speights
2010-03-29 21:41 ` Arno Wagner
2010-03-29 22:59 ` Milan Broz
0 siblings, 2 replies; 7+ messages in thread
From: Jamaal Speights @ 2010-03-29 20:21 UTC (permalink / raw)
To: Milan Broz; +Cc: dm-crypt
[-- Attachment #1: Type: text/plain, Size: 1078 bytes --]
Thanks.
When I do dmsetup table [name] --showkey
I see aes-cbc-plain. Then 64 characters. I see the first 40 are the
*RIPEMD-160
Hash* of my password. What are the last 24 characters?
ripemd160_passphrase + ??????
thanks
-j
On Fri, Mar 26, 2010 at 4:58 AM, Milan Broz <mbroz@redhat.com> wrote:
> On 03/26/2010 12:38 AM, Jamaal Speights wrote:
> > I am curious about the cryptsetup remove function and its purpose after
> > rebooting a system. Is my system still vulnerable to someone else
> > mounting my encrypted file if I don't remove the mapping before I
> > reboot? When my system comes back up I don't see the mapping in
> > /dev/mapping/cryptfile . Also if I do cryptsetup to mount the image
> > again I have to re-enter the password. So whats the point of using
> > cryptsetup remove when shutting your system down?
>
> Remove key from memory? (google coldboot attack)
>
> Deactivate crypt mapping so underlying storage can safely deactivate
> devices (LVM for example)?
>
> Umount underlying filesystem if mappping is to file on it?
>
> ...
>
> Milan
>
[-- Attachment #2: Type: text/html, Size: 1581 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [dm-crypt] cryptesetup remove question
2010-03-29 20:21 ` Jamaal Speights
@ 2010-03-29 21:41 ` Arno Wagner
2010-03-29 22:59 ` Milan Broz
1 sibling, 0 replies; 7+ messages in thread
From: Arno Wagner @ 2010-03-29 21:41 UTC (permalink / raw)
To: dm-crypt
Without checking: The salt?
Arno
On Mon, Mar 29, 2010 at 04:21:41PM -0400, Jamaal Speights wrote:
> Thanks.
>
> When I do dmsetup table [name] --showkey
>
> I see aes-cbc-plain. Then 64 characters. I see the first 40 are the
> *RIPEMD-160
> Hash* of my password. What are the last 24 characters?
>
> ripemd160_passphrase + ??????
>
> thanks
>
> -j
>
>
> On Fri, Mar 26, 2010 at 4:58 AM, Milan Broz <mbroz@redhat.com> wrote:
>
> > On 03/26/2010 12:38 AM, Jamaal Speights wrote:
> > > I am curious about the cryptsetup remove function and its purpose after
> > > rebooting a system. Is my system still vulnerable to someone else
> > > mounting my encrypted file if I don't remove the mapping before I
> > > reboot? When my system comes back up I don't see the mapping in
> > > /dev/mapping/cryptfile . Also if I do cryptsetup to mount the image
> > > again I have to re-enter the password. So whats the point of using
> > > cryptsetup remove when shutting your system down?
> >
> > Remove key from memory? (google coldboot attack)
> >
> > Deactivate crypt mapping so underlying storage can safely deactivate
> > devices (LVM for example)?
> >
> > Umount underlying filesystem if mappping is to file on it?
> >
> > ...
> >
> > Milan
> >
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [dm-crypt] cryptesetup remove question
2010-03-29 20:21 ` Jamaal Speights
2010-03-29 21:41 ` Arno Wagner
@ 2010-03-29 22:59 ` Milan Broz
2010-03-30 18:52 ` [dm-crypt] device-mapper: remove ioctl failed: Device or resource busy Ali Reza Sajedi
1 sibling, 1 reply; 7+ messages in thread
From: Milan Broz @ 2010-03-29 22:59 UTC (permalink / raw)
To: Jamaal Speights; +Cc: dm-crypt
On 03/29/2010 10:21 PM, Jamaal Speights wrote:
> When I do dmsetup table [name] --showkey
>
> I see aes-cbc-plain. Then 64 characters. I see the first 40 are the
> *RIPEMD-160 Hash* of my password. What are the last 24 characters?
>
> ripemd160_passphrase + ??????
you mean after plain create command (iow not using LUKS?)
The key is generated by hashing passphrase in rounds,
so first is plain hash of passphrase (default is ripemd160),
if requested key is larger some fixed chars are added to password
and it is hashed again.
(I think it is taken from hashalot package.)
See gcrypt_hash in source, it is original algorithm
from old cryptsetup.
Or you can use pregenerated key in plain mode from keyfile.
Or you can use passphrase directly as key (zero padded)
See man page.
LUKS generates master key always from RNG, passphrase just
unlock key slot where it is stored.
Milan
^ permalink raw reply [flat|nested] 7+ messages in thread
* [dm-crypt] device-mapper: remove ioctl failed: Device or resource busy
2010-03-29 22:59 ` Milan Broz
@ 2010-03-30 18:52 ` Ali Reza Sajedi
2010-03-30 19:43 ` Milan Broz
0 siblings, 1 reply; 7+ messages in thread
From: Ali Reza Sajedi @ 2010-03-30 18:52 UTC (permalink / raw)
To: dm-crypt
Hello All,
upgrading from cryptsetup 1.0.6 to 1.1.0 has led to the above message
everytime I attempt to unlock the device.
There are many discussions going on on the matter in various forums.
However, unfortunately, I couldn't find a solution to switch out the
message.
Has anybody got an idea how this could be done.
Best regards
Ali
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [dm-crypt] device-mapper: remove ioctl failed: Device or resource busy
2010-03-30 18:52 ` [dm-crypt] device-mapper: remove ioctl failed: Device or resource busy Ali Reza Sajedi
@ 2010-03-30 19:43 ` Milan Broz
0 siblings, 0 replies; 7+ messages in thread
From: Milan Broz @ 2010-03-30 19:43 UTC (permalink / raw)
To: Ali Reza Sajedi; +Cc: dm-crypt
On 03/30/2010 08:52 PM, Ali Reza Sajedi wrote:
> Hello All,
>
> upgrading from cryptsetup 1.0.6 to 1.1.0 has led to the above message
> everytime I attempt to unlock the device.
>
> There are many discussions going on on the matter in various forums.
> However, unfortunately, I couldn't find a solution to switch out the
> message.
Does it work after that message? (If you run with --debug, do you see
that operation was repeated successfully?)
If so, some udev rule is doing something nasty. Again.
you can try kill udev and try to reproduce - I bet it will work without
problem.
The usual problem is that some udev rules are written such way,
that run scan of device on every event.
And they even try to scan internal keyslot device.
If you want experiment:
- run cryptsetup luksOpen with --debug
- run udevadm monitor and try to identify which rule is triggered
and locks the device
(Usualy it is blkid reacting to some event.)
Check if there is some filtering on temporary cryptsetup device.
Check if there is "+watch" which generates events when device is closed.
Try to disable these lines. Recent packages should be "fixed".
Submit bug to your distro to package which owns this rule...
(udev, DeviceKit-disks aka udisks or so)
Unfortunatelly discussion with udev developers is currently not too
helpful.
Milan
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2010-03-30 19:43 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-25 23:38 [dm-crypt] cryptesetup remove question Jamaal Speights
2010-03-26 8:58 ` Milan Broz
2010-03-29 20:21 ` Jamaal Speights
2010-03-29 21:41 ` Arno Wagner
2010-03-29 22:59 ` Milan Broz
2010-03-30 18:52 ` [dm-crypt] device-mapper: remove ioctl failed: Device or resource busy Ali Reza Sajedi
2010-03-30 19:43 ` Milan Broz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.