SDB:Crypto Partition/Files Changes in SUSE Linux Professional 9.3
Version: 9.3
İçindekiler
Crypto Partition/Files Changes in SUSE Linux Professional 9.3
Technical Background
With SUSE LINUX 9.3 we switched from loop_fish2
to twofish
as the encryption module. twofish
together with cryptoloop
is now the standard method for crypto partitions. We made that switch because twofish together with cryptoloop is more secure (cryptoloop uses the block number as the initialization vector, whereas loop_fish2 always uses zero) and is the standard solution for crypto partitions.
WARNING: DO NOT RUN FSCK
The on-disk format of the two modules is different and if you access it via the wrong module, the automatic boot scripts will recognize the filesystem (since the first block is very similar) but detect that the rest appears to be wrong and offer a filesystem check. Do not run this filesystem check - instead just reply 'no' and check that the correct module is used. If you ignore this warning the filesystem check will result in total data loss.
SUSE Linux now makes use of the following different crypto filesystem implementations:
SUSE Version | Encryption Name | Key Length | Kernel Modules | Initialization vector (IV) |
Prior to 9.1 | twofish | 160 Bits | loop_fish2 | constant |
9.1 and 9.2 | twofish256 | 256 Bits | loop_fish2 | constant |
9.3 | twofish256 | 256 Bits | twofish, cryptoloop | block number |
As you can see, the encryption name twofish256
is the same in SUSE LINUX 9.1/9.2 and 9.3, but it makes use of different kernel modules. Unfortunately the on-disk format used by these modules is different and therefore they are incompatible. Of course the on-disk format is also not detectable, because this would mean you could guess the encryption type from crypted data, which would be a security flaw.
These limitations entail some problems we can not cover technically. That means you have to intervene manually for the following case:
New-Installation and Access to Old Crypto Partition
If you make a fresh install of SUSE LINUX 9.3 and use it to access existing crypto partitions from SUSE LINUX 9.1 or 9.2, you have to specify the proper encryption name in your configuration files. This would be either /etc/cryptotab
or /etc/fstab
. As you remember we have 3 different implementations and two of them use the same encryption name. To differentiate between these two we have implemented the encryption name twofishSL92
which is an alias for twofish256
with loop_fish2
. So in your configuration files change:
twofish256
to twofishSL92
Example:
Old cryptotab from SUSE LINUX 9.2:
/dev/loop0 /dev/hda3 /secret reiserfs twofish256 noatime
New cryptotab from SUSE LINUX 9.3:
/dev/loop0 /dev/hda3 /secret reiserfs twofishSL92 noatime
Things we have covered because they were technically possible are:
Update from Older Distributions
During a system update /etc/fstab
and /etc/cryptotab
will be changed by the YaST Installer.
Installation of New Distribution
A new installation will use the new cryptoloop module exclusively. <keyword>crypto,krypto,loop,mount,fsck,twofish</keyword>