/[pkg-cryptsetup]/cryptsetup/trunk/debian/README.html
ViewVC logotype

Contents of /cryptsetup/trunk/debian/README.html

Parent Directory Parent Directory | Revision Log Revision Log

Revision 34 - (show annotations) (download) (as text)
Sun Jan 22 07:00:34 2006 UTC (7 years, 4 months ago) by mejo
File MIME type: text/html
File size: 21038 byte(s) 
upload cryptsetup
1 <!DOCTYPE html
2 PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
5 <head>
6 <base href="http://www.saout.de/misc/dm-crypt/">
7 <title>dm-crypt - a device-mapper crypto target</title>
8 <meta name="robots" content="index" />
9 <meta name="robots" content="nofollow" />
10 <meta name="MSSmartTagsPreventParsing" content="TRUE" />
11 <style type="text/css">
12 <!--
13 body, h1, div {
14 font-family: Arial, Helvetica, Sans-Serif;
15 background-color: rgb(255, 255, 255);
16 color: rgb(0, 0, 0);
17 }
18 img {
19 vertical-align: bottom;
20 }
21 acronym {
22 color: rgb(255, 255, 255);
23 }
24 dt {
25 margin-top: 6pt;
26 }
27 dd {
28 margin-bottom: 12pt;
29 }
30 ul {
31 margin-top: 6pt;
32 margin-bottom: 6pt;
33 }
34 // -->
35 </style>
36 </head>
37 <body>
38 <h1>dm-crypt: a device-mapper crypto target</h1>
39 <div>
40 <h3>About</h3>
41 <p>
42 Device-mapper is a new infrastructure in the Linux 2.6 kernel that provides
43 a generic way to create virtual layers of block devices that can do different
44 things on top of real block devices like striping, concatenation, mirroring,
45 snapshotting, etc... The device-mapper is used by the
46 <a href="http://www.sistina.com/products_lvm.htm">LVM2</a> and
47 <a href="http://evms.sourceforge.net/">EVMS 2.x</a> tools.<br />
48 dm-crypt is such a device-mapper target that provides transparent encryption of
49 block devices using the new Linux 2.6 cryptoapi. The user can basically specify
50 one of the symmetric ciphers, a key (of any allowed size), an iv generation mode
51 and then he can create a new block device in /dev. Writes to this device will
52 be encrypted and reads decrypted. You can mount your filesystem on it as usual.
53 But without the key you can't access your data.<br />
54 It does basically the same as cryptoloop only that it's a much cleaner code and
55 better suits the need of a block device and has a more flexible configuration
56 interface. The on-disk format is also compatible. In the future you will be able
57 to specify other iv generation modes for enhanced security (you'll have to
58 reencrypt your filesystem though).<br />
59 </p>
60 <p>
61 I've set up a <a href="/tikiwiki/">Wiki</a>. It's naked at the moment, feel free
62 to fill it with some useful informations.<br />
63 There's a mailing list at <a href="mailto:dm-crypt@saout.de">dm-crypt@saout.de</a>.
64 If you want to subscribe just send an empty mail to
65 <a href="mailto:dm-crypt-subscribe@saout.de">dm-crypt-subscribe@saout.de</a>.<br />
66 <a href="http://www.gmane.org/">Gmane</a> provides a NNTP interface and
67 <a href="http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt">web archive</a>
68 for this mailing list.<br />
69 </p>
70 </div>
71 <div>
72 <h3>Download</h3>
73 <p>
74 There is support for dm-crypt in the latest official kernel
75 <a href="http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.4">2.6.4</a>
76 which you can find on <a href="http://www.kernel.org/">kernel.org</a>.
77 Please use the <a href="http://www.kernel.org/mirrors/">mirrors</a> for downloads.<br />
78 <em>There is a <code>HIGHMEM</code> cryptoapi bug in kernels before 2.6.4-rc2, please
79 upgrade if you were using such a kernel.</em><br />
80 The latest version of the native userspace setup tool is <a href="cryptsetup-0.1.tar.bz2">cryptsetup 0.1</a>.<br />
81 Clemens Fruhwirth is maintaining an
82 <a href="http://luks.endorphin.org/dm-crypt">enhanced
83 version of cryptsetup with the LUKS extension</a> that allows you to have an
84 on-disk block of metadata which is superior to the current mechanism and was
85 my long term plan anyway but I didn't find the time to implement that yet...
86 </p>
87 </div>
88 <div>
89 <h3>Description</h3>
90 <p>
91 <em>NEW:</em> I've set up a <a href="/tikiwiki/">Wiki</a>. It's naked at the moment, feel free
92 to fill it with some useful informations.<br />
93 </p>
94 <p>
95 <strong>Installation:</strong><br />
96 Once you have a Linux 2.6 kernel with dm-crypt support on your machine,
97 you need to activate device-mapper and dm-crypt in your kernel.<br />
98 You can find both config options under
99 <code>Device Drivers &gt; Multi-device support (RAID and LVM)</code>.
100 Both can be compiled statically or as modules (code which you can insert
101 and remove from the kernel at runtime).<br />
102 The config options are also called <code>CONFIG_BLK_DEV_DM</code> and
103 <code>CONFIG_DM_CRYPT</code>.<br />
104 You also need some userspace tools. You need to install the device-mapper
105 package, you can find the latest version
106 <a href="ftp://sources.redhat.com/pub/dm/">here</a>.
107 </p>
108 <p>
109 If you have compiled device-mapper as a module you must load it using
110 <code>modprobe dm-mod</code>, the dm-crypt module should autoload when
111 used.<br />
112 You should make sure that you have the <code>/dev/mapper</code> directory
113 and the <code>/dev/mapper/control</code> device node.<br />
114 If not, you should follow the instructions in the INSTALL file found in
115 the <a href="ftp://sources.redhat.com/pub/dm/">device-mapper package</a>.
116 The INTRO file also explains some device-mapper basics which might be useful.<br />
117 </p>
118 <p>
119 <strong>Setup:</strong><br />
120 The mapped device can be created through userspace tools calling the appropriate
121 device-mapper ioctl. Since there are no dedicated tools yet everything is done
122 through <code>dmsetup</code>.<br />
123 <em>(note: If you don't want to know the details you might want to skipt the next
124 paragraphs and directly go to the description of <a href="#cryptsetup">cryptsetup</a>)</em><br />
125 </p>
126 <p>
127 <code>dmsetup</code> is used to create and remove devices, get information about
128 devices or reload tables (that means changing the mapping while the device is in
129 use).<br />
130 The syntax for device creation is: <code>dmsetup create <em>&lt;name&gt;</em></code><br />
131 <em>&lt;name&gt;</em> is the name of the created device. It will appear under
132 /dev/mapper/<em>&lt;name&gt;</em>.<br />
133 <code>dmsetup</code> then expects the <em>table</em> on stdin (you could also give
134 a file name as third parameter).<br />
135 The table is a list of lines with a sector range, target type and target config. It looks like:<br />
136 <code><em>&lt;start sector&gt;</em> <em>&lt;sector count&gt;</em> <em>&lt;target type&gt;</em> <em>&lt;arguments&gt;</em></code><br />
137 I'm not going into every detail here. A dm-crypt table looks like:<br />
138 </p>
139 <p>
140 <code><strong>0 <em>&lt;sector count&gt;</em> crypt <em>&lt;sector format&gt;</em> <em>&lt;key&gt;</em> <em>&lt;IV offset&gt;</em> <em>&lt;real device&gt;</em> <em>&lt;sector offset&gt;</em></strong></code>
141 </p>
142 <dl>
143 <dt><em>&lt;sector format&gt;</em></dt>
144 <dd>
145 It consists of the name of the symmetric encryption cipher and an optional
146 IV generation mode (if none is selected the cryptoloop compatible <em>plain</em> mode
147 is chosen).<br />
148 Currently the IV generation modes <em>ecb</em> and <em>plain</em> are available.
149 <em>ecb</em> means no cipher block chaining and IV is used at all (don't do this
150 if you don't know what you're doing, it is a security catastrophe!). <em>plain</em>
151 uses the unhashed 32 bit sector number as IV. The IV generation mode is appended
152 using a dash or since Linux 2.6.10 <em>cbc-essiv:&lt;hash&gt;</em>
153 (this prevents a watermark attack weakness). Examples for this parameter are: <code>des</code>,
154 <code>aes-cbc-essiv:sha256</code> or <code>twofish-ecb</code>.<br />
155 <code>cat /proc/crypto</code> will show you the supported ciphers.<br />
156 </dd>
157
158 <dt><em>&lt;key&gt;</em></dt>
159 <dd>
160 This is the key used for encryption. It is encoded as a hexadecimal number.
161 You can only use key sizes that are valid for the selected cipher. See /proc/crypto output.<br />
162 </dd>
163
164 <dt><em>&lt;IV offset&gt;</em></dt>
165 <dd>
166 The IV offset is a sector count that is added to the sector number before
167 creating the IV. It can be used to create a map that starts after the first encrypted
168 sector. Usually you'll set it to zero except your device is only partially available
169 or something like this.<br />
170 </dd>
171
172 <dt><em>&lt;real device&gt;</em></dt>
173 <dd>
174 This is the device that is going to be used as backend and
175 contains the encrypted data. You can specify the path like <em>/dev/xxx</em> or a device
176 number <em>&lt;major&gt;:&lt;minor&gt;</em>.<br />
177 </dd>
178
179 <dt><em>&lt;sector offset&gt;</em></dt>
180 <dd>
181 Finally this is the sector (number of 512 byte sectors) offset
182 where the encrypted data begins in the given real device.<br />
183 </dd>
184 </dl>
185 <p>
186 So a complete line to setup the device might look like:<br />
187 <code><strong>echo 0 `blockdev --getsize /dev/hda5` crypt aes-plain 0123456789abcdef0123456789abcdef 0 /dev/hda5 0 | dmsetup create volume1</strong></code><br />
188 Note the use of the <em>blockdev</em> command to get the number of sectors on <em>/dev/hda5</em>.<br />
189 The created device will be named <code>/dev/mapper/volume1</code>.
190 </p>
191 <p>
192 The device can then be mounted (you should not forget to create a filesystem first).
193 You can remove the device again using <code>dmsetup remove <em>&lt;name&gt;</em></code>.
194 If the creation fails see the syslog for kernel messages. Don't forget to remove the
195 device before trying to recreate it.
196 </p>
197 <p>
198 Except for the additional parameters dmsetup can be used somewhat like losetup for cryptoloop.
199 You can use hexdump to create the hex key representation and pipe the output from
200 <a href="http://www.paranoiacs.org/~sluskyb/hacks/hashalot/">hashalot</a> into
201 it or something. This is what the cryptsetup tool below does.
202 </p>
203 <p>
204 <a id="cryptsetup" name="cryptsetup"><strong>cryptsetup:</strong></a><br />
205 Because the way using dmsetup directly is too complicated for most people I'm currently writing
206 a native cryptsetup program to behave like one of the patched losetup's out there. It's going to
207 support a lot more features in the future.<br />
208 <em><strong>NEW:</strong> A first version of the native cryptsetup implementation in C is ready:<br />
209 <a href="cryptsetup-0.1.tar.bz2">cryptsetup 0.1</a> requires <a href="http://www.g10code.de/p-libgcrypt.html">libgcrypt</a> 1.1.x and libdevmapper</em><br />
210 I've got a CVS server, if you're interested in development I can give you write access.
211 The old version is a shell script that uses dmsetup and hashalot to do the same. I'm using the same
212 syntax. The script can be found <a href="cryptsetup.sh">here</a>.
213 You can put it into /usr/local/sbin or somewhere you like. The old script requires the tools <code>dmsetup</code>,
214 <code>hashalot</code>, <code>hexdump</code>, <code>sed</code>, <code>head</code>, <code>awk</code>
215 and <code>ls</code>. Most of these will most likely come with your distribution.<br />
216 The <code>hashalot</code> tool can be found <a href="http://www.paranoiacs.org/~sluskyb/hacks/hashalot/">here</a> <em>(not required with <code>-h plain</code>)</em>.<br />
217 The <code>dmsetup</code> tool can be found in the device-mapper package
218 <a href="ftp://sources.redhat.com/pub/dm/">here</a>.<br />
219 Don't forget to call <code>scripts/devmap_mknod.sh</code> (only once) in the device-mapper package
220 to create the <code>/dev/mapper/control</code> device node if you don't use
221 devfs or udev.<br />
222 </p>
223 <pre>
224 Syntax: /usr/local/sbin/cryptsetup [&lt;OPTIONS&gt;] &lt;action&gt; &lt;name&gt; [&lt;device&gt;]
225 &lt;OPTIONS&gt;:
226 -c &lt;cipher&gt; (see /proc/crypto)
227 -h {plain/&lt;hash&gt;} (see hashalot, WARNING: use ripemd160 instead of rmd160)
228 -y (verifies the passphrase by asking for it twice)
229 -d &lt;file&gt; (read key from file
230 e.g. /dev/urandom; useful for swap devices.
231 If set, the parameters -h and -y will be ignored)
232 -s &lt;keysize&gt; (in bits) (WARNING: in bytes for cryptsetup.sh)
233 -b &lt;size&gt; (in sectors)
234 -o &lt;offset&gt; (in sectors)
235 -p &lt;skipped&gt; (in sectors)
236 &lt;action&gt; is one of:
237 create - create device
238 remove - remove device
239 reload - modify active device
240 resize - resize active device
241 status - show device status
242 &lt;name&gt; is the device to create under /dev/mapper/
243 &lt;device&gt; is the encrypted device
244 </pre>
245 <p>
246 When creating a device the program will ask for the a passphrase. The passphrase
247 will then be hashed using the <em>hashalot</em> program and be used as key.<br />
248 Alternatively a passphrase can be piped through stdin.<br />
249 The hashing can be turned off with <code>-h plain</code>.
250 </p>
251 <p>
252 The defaults are <code>aes</code> with a <code>256 bit</code> key, hashed using
253 <code>ripemd160</code>. Since Linux 2.6.10 you can
254 use an alternative IV scheme to prevent a watermark attack weakness.
255 <code>aes-cbc-essiv:sha256</code> should do it.
256 </p>
257 <p>
258 Don't forget: cryptsetup only creates a mapping. If you call cryptsetup again
259 after a reboot and supply the same passphrase you will be able to mount your
260 filesystem you created before.<br />
261 </p>
262 </div>
263 <div>
264 <h3>Migration from cryptoloop and compatibility</h3>
265 <p>
266 The on-disk layouts used by the current 2.6 cryptoloop are supported by dm-crypt.<br />
267 Cryptoloop also uses cryptoapi so the name of the ciphers are the same. Cryptoloop also
268 supports ECB and CBC mode. Use <code><em>&lt;cipher&gt;</em>-ecb</code> and
269 <code><em>&lt;cipher&gt;</em>-plain</code> accordingly with dm-crypt. If you didn't
270 explicitly specify either -ecb or -cbc before you don't need it now, the default <em>plain</em>
271 IV generation will be used. There will be additional (incompatible, but more secure) possibilites
272 in the future because the unhashed sector number as IV is too predictible.<br />
273 </p>
274 <p>
275 You'll need to figure out how your passphrase was turned into a key to use for losetup.
276 There are several patches floating around doing things differently. But usually <code>cryptsetup</code>
277 will provide a working solution to recreate the same key from your passphrase.<br />
278 </p>
279 <p>
280 If you want to migrate from 2.4 cryptoloop please take a look at Clemens Fruhwirth's
281 <a href="http://clemens.endorphin.org/Cryptoloop_Migration_Guide.html">Cryptoloop
282 Migration Guide</a>. He describes the differences between 2.4 and 2.6 cryptoapi (or basically
283 the bugs in 2.4 cryptoapi...). If you need to cut the key size you can use the <code>-s</code>
284 option instead of playing with <code>dd</code>.<br />
285 <em>(BTW: Clemens has a i586 optimized version of the aes and serpent cipher on his page,
286 about twice as fast as the kernel implementation.)</em>
287 </p>
288 </div>
289 <div>
290 <h3>Why</h3>
291 <p>
292 <em>Why dm-crypt?</em><br />
293 Originally it started as a fun project because I wanted to play with the new Linux 2.6 internals.
294 I got a lot of great help from the device-mapper guys at Sistina (now Redhat). Thank you very
295 much!<br />
296 It turned out that this implementation worked great and is very clean compared to the hacked
297 loop device. The device-mapper core provides much better facilities to stack block devices.
298 dm-crypt uses mempools to assure we never run into out-of-memory deadlocks when allocating
299 buffers.<br />
300 Also the device-mapper configuration interface provides much more flexibility than the losetup
301 ioctl. And you can create as many devices as you want with any names you want and combine them
302 with other dm targets. Online device resizing is also possible, e.g. if you use dm-crypt on top
303 of a logical volume. There might perhaps even be LVM or EVMS support for device encryption
304 in the future.<br />
305 </p>
306 </div>
307 <div>
308 <h3>FAQ</h3>
309 <p>
310 <em>But I don't want to use LVM!</em><br />
311 You don't need LVM. Device-mapper is an all-purpose kernel feature,
312 not tied to LVM in any way.<br />
313 </p>
314 <p>
315 <em>What if I want to encrypt a filesystem and keep it in a file?</em><br />
316 You can use dm-crypt on top of a normal loop device, call losetup and cryptsetup.<br />
317 I'm going to add loop support to cryptsetup so it can do this for you.<br />
318 </p>
319 <p>
320 <em>I created my filesystem on the encrypted device. How can I keep it across reboots?</em><br />
321 Very simple. Call cryptsetup again and supply the same passphrase. It only creates
322 a mapping, not a filesystem.<br />
323 </p>
324 <p>
325 <em>What if I want to change my passphrase?</em><br />
326 At the moment you'll need to reencrypt your device because the passphrase is directly
327 tied to the key. <br />
328 There are plans to write a tool that stores the master key on disk
329 and encrypted so it can be unlocked using a passphrase. You can then
330 change your passphrase on a regular basis.<br />
331 If you want to reencrypt your filesystem you'll have to recreate a new one and move your files.<br />
332 (I've got an experimantal tool in the works that allows you to reencrypt your block device on the fly,
333 assuming you don't reboot your machine...)<br />
334 </p>
335 <p>
336 <em>I've read about security problems.</em><br />
337 Yes, the IV schemes currently supported by dm-crypt are the same as the ones supported by
338 cryptloop. There's the ECB mode which is a catastrophe (no IV at all) and the &quot;plain&quot;
339 mode, which is already a lot better. Older cryptoloops used ECB by default, but with dm-crypt
340 the default is &quot;plain&quot; (which is the unhashes sector number used as IV).<br />
341 Since dm-crypt is extensible there will be better possibilities in the future, but they will be
342 on-disk incompatible with cryptoloop so you'll have to reencrypt.<br />
343 </p>
344 <p>
345 <em>Help! I can't figure out how to use my old encrypted data! I was using...</em><br />
346 There are different implementations out there. Some are non-cryptoapi and/or
347 broken implementations. SuSE uses its own loop-twofish implementation which
348 makes dangerous assumptions and is broken when changing the blocksize
349 (&quot;timebomb crypto&quot;). You cannot use this with dm-crypt.
350 </p>
351 <p>
352 <em>Can I reencrypt my data without copying all the files?</em><br />
353 There's an experimental and unfinished <a href="dmconvert-0.2.tar.bz2">dmconvert</a> program
354 that can reencrypt the data while the filesystem is mounted. If you can get it running it should
355 be safe enough to not eat your data, but make sure you don't interrupt it or crash your system
356 while it is running. Don't blame me if something goes wrong.<br />
357 </p>
358 <p>
359 <em>Can I use encrypted swap?</em><br />
360 Yes. You can specify a key file /dev/random and run mkswap afterwards, so the device will be
361 created with a different key each time and the data is not accessible at all after a reboot.<br />
362 </p>
363 <p>
364 <em>Is there a mailing list?</em><br />
365 There's a mailing list at <a href="mailto:dm-crypt@saout.de">dm-crypt@saout.de</a>.
366 If you want to subscribe just send an empty mail to
367 <a href="mailto:dm-crypt-subscribe@saout.de">dm-crypt-subscribe@saout.de</a>.<br />
368 <a href="http://www.gmane.org/">Gmane</a> provides a NNTP interface and
369 <a href="http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt">web archive</a>
370 for this mailing list.<br />
371 </p>
372 <p>
373 <em>My system hangs for some time in regular intervals when writing to encrypted disks.</em><br />
374 You are probably using Linux 2.6.4. Du to the introduction of kthread pdflush is running at nice level -10,
375 which means that the kernels treats dm-crypt writes as a real time task and doesn't allow scheduling.<br />
376 Solution: Switch to 2.6.5 or later or renice pdflush manually.<br />
377 </p>
378 <p>
379 <em>Can I use the mount command itself to do all the magic needed?</em><br />
380 I've written an experimental patch for this, see
381 <a href="http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/34">my post
382 in the mailing list</a> archive.<br />
383 </p>
384 <p>
385 <em>Where can I send my contributions?</em><br />
386 Because maintaining a web page takes time and people keep mailing me a lot of
387 things I could integrate they can enter it into this nice <a href="/tikiwiki/">Wiki</a>.<br />
388 </p>
389 </div>
390 <div>
391 <h3>Questions, suggestions, criticism?</h3>
392 <p>
393 Feel free to contact me: <a href="mailto:christophe@saout.de">christophe@saout.de</a>.
394 </p>
395 </div>
396 <div>
397 <a href="http://validator.w3.org/check/referer"><img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0!" height="31" width="88" border="0" /></a>
398 <a href="http://jigsaw.w3.org/css-validator/check/referer"><img src="http://jigsaw.w3.org/css-validator/images/vcss" alt="Valid CSS!" height="31" width="88" border="0" /></a>
399 </div>
400 </body>
401 </html>
  ViewVC Help
Powered by ViewVC 1.1.5