SDB:Crypto Partition/Files Changes in SUSE Linux Professional 9.3

Şuraya atla: kullan, ara


Version: 9.3

Crypto Partition/Files Changes in SUSE Linux Professional 9.3

Technical Background

With SUSE LINUX 9.3 we switched from loop_fish2 to twofish as the encryption module. twofish together with cryptoloop is now the standard method for crypto partitions. We made that switch because twofish together with cryptoloop is more secure (cryptoloop uses the block number as the initialization vector, whereas loop_fish2 always uses zero) and is the standard solution for crypto partitions.

WARNING: DO NOT RUN FSCK

The on-disk format of the two modules is different and if you access it via the wrong module, the automatic boot scripts will recognize the filesystem (since the first block is very similar) but detect that the rest appears to be wrong and offer a filesystem check. Do not run this filesystem check - instead just reply 'no' and check that the correct module is used. If you ignore this warning the filesystem check will result in total data loss.

SUSE Linux now makes use of the following different crypto filesystem implementations:

SUSE Version Encryption Name Key Length Kernel Modules Initialization vector (IV)
Prior to 9.1 twofish 160 Bits loop_fish2 constant
9.1 and 9.2 twofish256 256 Bits loop_fish2 constant
9.3 twofish256 256 Bits twofish, cryptoloop block number

As you can see, the encryption name twofish256 is the same in SUSE LINUX 9.1/9.2 and 9.3, but it makes use of different kernel modules. Unfortunately the on-disk format used by these modules is different and therefore they are incompatible. Of course the on-disk format is also not detectable, because this would mean you could guess the encryption type from crypted data, which would be a security flaw.

These limitations entail some problems we can not cover technically. That means you have to intervene manually for the following case:

New-Installation and Access to Old Crypto Partition

If you make a fresh install of SUSE LINUX 9.3 and use it to access existing crypto partitions from SUSE LINUX 9.1 or 9.2, you have to specify the proper encryption name in your configuration files. This would be either /etc/cryptotab or /etc/fstab. As you remember we have 3 different implementations and two of them use the same encryption name. To differentiate between these two we have implemented the encryption name twofishSL92 which is an alias for twofish256 with loop_fish2. So in your configuration files change:

twofish256 to twofishSL92

Example:

Old cryptotab from SUSE LINUX 9.2:

/dev/loop0  /dev/hda3  /secret  reiserfs  twofish256 noatime

New cryptotab from SUSE LINUX 9.3:

/dev/loop0  /dev/hda3  /secret  reiserfs  twofishSL92 noatime

Things we have covered because they were technically possible are:

Update from Older Distributions

During a system update /etc/fstab and /etc/cryptotab will be changed by the YaST Installer.

Installation of New Distribution

A new installation will use the new cryptoloop module exclusively. <keyword>crypto,krypto,loop,mount,fsck,twofish</keyword>