On Fri, 2013-06-28 at 23:24 +0200, Jonas Meurer wrote: > Ok, indeed the examples could be changed to use xts. Feel free to > provide a patch. I'll happily accept it. Attached... see the header for the exact changes and intentions and complain if it's not okay.
I could write two more patches: 1) That changes all keyscript=/lib/cryptsetup/../name to just keyscript=name ... I think that's supported for keyscripts shipped with cryptsetup. 2) I'd recommend to replace all /dev/sd[letter][number] or hd[letter][number] by "/dev/sdaN". Why? - AFAIK, hd is no longer used in the current kernels (I guess the old non libata based IDE drivers were even dropped)... - literally using "N" instead of an example number... reduces the risk that someone accidentally copies&pastes these examples and cause real harm. Choose what you'd like and I make patches. Chris.
In (nearly) all places where essiv or cipher occured in debian/
* Used cipher=aes-xts-plain64,size=512,hash=sha512 instead of previous value.
This is not cryptsetup's default, which still seem to use AES128 (and
therefore size=256)
and SHA1.
If you want it exactly to be upstream default just ask for another patch.
* Used one ordering: cipher, size, hash
In one place, twofish was used as an explicit different example. This wasn't
changed
but:
* Documented also the hash algo that was different from default.
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -66,7 +66,7 @@
You'll have to add an entry for every swap partition in /etc/crypttab. Be
sure toeplace the source device (here /dev/hda9) with your swap devices:
# <target name> <source device> <key file> <options>
-cswap1 /dev/hda9 /dev/urandom
swap,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256
+cswap1 /dev/hda9 /dev/urandom
swap,cipher=aes-xts-plain64,size=512,hash=sha512
Now you need to change the swap devices in /etc/fstab to the encrypted swap
device names (/dev/mapper/cswap1 in this example).
--- a/debian/README.initramfs
+++ b/debian/README.initramfs
@@ -47,7 +47,7 @@
First of all, you must edit /etc/crypttab and add a line describing your
root device, for example:
- cryptroot /dev/hda2 none cipher=aes-cbc-essiv:sha256,size=256,hash=sha256
+ cryptroot /dev/hda2 none cipher=aes-xts-plain64,size=512,hash=sha512
This will allow cryptsetup to create /dev/mapper/cryptroot from the
encrypted partition /dev/hda2 during boot.
@@ -129,7 +129,7 @@
one mapping needs to be setup in the initramfs stage of the boot.
Example boot arguments:
-root=/dev/mapper/crypt0 cryptopts=target=crypt0,source=/dev/hda1,cipher=twofish
+root=/dev/mapper/crypt0
cryptopts=target=crypt0,source=/dev/hda1,cipher=aes-xts-plain64,size=512,hash=sha512
8. Resume device support
------------------------
@@ -161,7 +161,7 @@
1) swapoff -a
2) cryptsetup luksClose cryptswap
3) edit /etc/crypttab and change the cryptswap line to e.g.:
-cryptswap /dev/hda2 cryptroot
cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,keyscript=/lib/cryptsetup/scripts/decrypt_derived,swap
+cryptswap /dev/hda2 cryptroot
cipher=aes-xts-plain64,size=512,hash=sha512,keyscript=/lib/cryptsetup/scripts/decrypt_derived,swap
4) /etc/init.d/cryptdisks start
5) Make sure that /dev/mapper/cryptswap has been created
6) swapon -a
@@ -194,7 +194,7 @@
/dev/disk/*, e.g. /dev/disk/by-label/myusbkey.
This is an example of a suitable line in cryptsetup:
-cryptroot /dev/hda2 /dev/disk/by-label/myusbkey:/keys/root.key
cipher=aes-cbc-essiv:sha256,size=256,hash=plain,keyscript=/lib/cryptsetup/scripts/passdev
+cryptroot /dev/hda2 /dev/disk/by-label/myusbkey:/keys/root.key
cipher=aes-xts-plain64,size=512,hash=sha512,keyscript=/lib/cryptsetup/scripts/passdev
The above line would cause the boot to pause until /dev/disk/by-label/myusbkey
appears in the fs, then mount that device and use the file /keys/root.key
--- a/debian/doc/crypttab.xml
+++ b/debian/doc/crypttab.xml
@@ -416,23 +416,23 @@
<para>
<screen>
# Encrypted swap device
-cswap /dev/sda6 /dev/urandom
cipher=aes-cbc-essiv:sha256,hash=ripemd160,size=256,swap
+cswap /dev/sda6 /dev/urandom cipher=aes-xts-plain64,size=512,hash=sha512,swap
# Encrypted LUKS disk with interactive password, identified by UUID
cdisk0 UUID=12345678-9abc-def012345-6789abcdef01 none luks
# Encrypted ext4 disk with interactive password
# - retry 5 times if the check fails
-cdisk1 /dev/sda2 none
cipher=aes-cbc-essiv:sha256,hash=ripemd160,size=256,checkargs=ext4,tries=5
+cdisk1 /dev/sda2 none
cipher=aes-xts-plain64,size=512,hash=sha512,checkargs=ext4,tries=5
# Encrypted disk with interactive password
# - use a nondefault check script
# - no retries
-cdisk2 /dev/hdc1 none
cipher=aes-cbc-essiv:sha256,hash=ripemd160,size=256,check=customscript,tries=1
+cdisk2 /dev/hdc1 none
cipher=aes-xts-plain64,size=512,hash=sha512,check=customscript,tries=1
# Encrypted disk with interactive password
-# - twofish as the cipher
-cdisk3 /dev/sda3 none cipher=twofish,hash=ripemd160,size=256
+# - twofish as the cipher, RIPEMD160 as the hast
+cdisk3 /dev/sda3 none cipher=twofish,size=256,hash=ripemd160
</screen>
</para>
</refsect1>
smime.p7s
Description: S/MIME cryptographic signature
