HOWTO: Replacing cryptoloop with dm-crypt in Debian

A while back, I wrote a little HOWTO on putting the cryptoloop module back in Debian. Yesterday, Josh Triplett pointed out to me that current dm-crypt can actually be used instead of the cryptoloop module to compatibly work with cryptoloop-formatted volumes. Huh.

It turns out to be as simple as

$ apt-get install cryptsetup
$ cryptsetup create -c mycipher -s mykeysize volume-label /dev/sdx7
$ mount /dev/mapper/volume-label /mount-point

Obviously you'll need to make some substitutions in the above. Use

$ umount /mount-point
$ cryptsetup remove volume-label

to clean up afterwards. Enjoy. Friend of Bart

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Impossible to mount

Hello,

I had offset with cryptoloop using twofish. But i'm unable to mount it with cryptosetup.
I used to mount this like that:

losetup -e twofish -o 2560 /dev/loop0 /dev/hdb1 => enter passphrase
mount -t ext3 /dev/loop0 /home/

I tried with your command :
cryptsetup create -c twofish -o 2560 testAB /dev/sdb1
and then :
mount /dev/mapper/testAB test/

But it's not working (wong FS type).

Do you see something wrong?

Thanks for help

ideas

Dunno. Things to try:

  • You may want to look at "--skip" vs "--offset". Not sure which you need here.

  • You may want to look at the "--key-size" option. Maybe there's a different default for twofish.

  • I don't think /dev/hdb1 vs /dev/sdb1 should make any difference, but for the record make sure you're trying the right volume.

  • If all else fails, see my other HOWTO for how to build cryptoloop for your box. See if that still works for you. That might give a clue about what's going on. Friend of Bart

re:ideas

Hello,

  • hdb1 was a typo. real fs is sdb1
  • I tried with offset and skip option without success
    cryptsetup --offset 2560 create -c twofish testAB /dev/sdb1
    cryptsetup --skip 2560 create -c twofish testAB /dev/sdb1
    for both, mount is failing (wrong FS type. I know that key is correct)
  • for key size, I didn't find on man default size used.
    => losetup -e twofish -o 2560 /dev/loop0 /dev/sdb1 and then I entered password. Maybe you can give a hint here.
  • yes, I succeeded to mount FS by recompiling cryptoloop thanks to your HOWTO. but I'm looking for the new supported standard method to avoid recompiling the module after each kernel upgrade...

Thanks

AB

more ideas

Huh. So the thing still pulls with cryptoloop; that's good, it means that we can rule out a lot of things.

  • There's some useful but dated information here.

  • The default keysize for most versions of losetup seems to be 256. For certain old versions of SuSE it was apparently 192.

I'm running out of ideas. You might want to ping the cryptsetup/dmcrypt folks directly... Friend of Bart

Finally mounted

Hello,

Thanks for hint with mailing list. They were answering very fast. This is resolution:

losetup specifies the offset in bytes, while cryptsetup uses sectors (of 512 bytes).
you need to set not only offset but also IV offset (to the same value) (--skip value)

So, to sum up :
With Debian 5.x, with losetup, I used previously for kernel < 2.6.32:
# losetup -e twofish -o 2560 /dev/loop0 /dev/sdb1
# mount -t ext3 /dev/loop0 /home/

I'm now using cryptsetup 1.1.3 in Debian 6.0 with this command (as cryptloop module is not coming with kernel):
# cryptsetup create -c twofish -o 5 --skip 5 testAB /dev/sdb1
# mount /dev/mapper/testAB /home

Reference of thread:
http://www.saout.de/pipermail/dm-crypt/2011-April/001635.html
Thanks for help/ hints

Gratz!

Glad you got it working! Thanks huge for the report—it is greatly appreciated and should help others out a lot. I know I learned some things. Friend of Bart

Using dm-crypt on files

Thanks. But I still can`t get how to mount it for second time.
Should I use "cryptsetup create..." every time ?

Log file:
---------------------------------------------------------
##install:

#dd if=/dev/zero of=BackCopyFile bs=1M count=125
#losetup -v -f BackCopyFile
Loop device is /dev/loop0
#cryptsetup -c aes -y create BackCopyMap /dev/loop0
Enter passphrase:
Verify passphrase:
#mkfs.ext3 /dev/mapper/BackCopyMap
Writing superblocks and filesystem accounting information: done
#mount /dev/mapper/BackCopyMap /mnt/BackCopyMount
#touch /mnt/BackCopyMount/test
#ls /mnt/BackCopyMount/
lost+found test

##umount:
#umount /dev/mapper/BackCopyMap
#cryptsetup remove BackCopyMap
#losetup -d /dev/loop0

Ok.
But how we can mount it ?

I tryed:

#losetup -v -f BackCopyFile
Loop device is /dev/loop0

v1:
# cryptsetup -c aes reload BackCopyMap /dev/loop0
The reload action is deprecated. Please use "dmsetup reload" ...
Enter passphrase:.
#mount /dev/mapper/BackCopyMap /mnt/BackCopyMount
mount: special device /dev/mapper/BackCopyMap does not exist

v2:
# cryptsetup -c aes luksOpen /dev/loop0 BackCopyMap
Device /dev/loop0 is not a valid LUKS device

v3:
#dmsetup load /dev/loop0 BackCopyMap
Device /dev/loop0 not found
Command failed

--
Nicholas

Yes, use cryptsetup create

Yes, use the horribly-named cryptsetup create every time, not cryptsetup reload. cryptsetup create won't touch your filesystem--it just "creates" the device file in /dev/mapper. So do it every time just like you did it the first time. Friend of Bart

Can you show an example how

Can you show an example how to use dm-crypt with iso file with no loop device ?

(dd if=/dev/zero of=file.iso bs=1M count=125 ...)

Thanks.

Nicholas

Using dm-crypt on files

You will still need a loop device, but not cryptoloop. I just set this up for the first time last night.

    $ losetup -v -f my-filesystem-file
    Loop device is /dev/loop7
    $ cryptsetup -c my-cipher -s my-keysize volume-label /dev/loop7
    $ mount /dev/mapper/volume-label /mount-point

To take it all down:

    $ umount /mount-point
    $ cryptsetup remove volume-label
    $ losetup -d /dev/loop7

If you forget what loopback device you used, "cryptsetup status volume-label" will show this, unless you've already done the remove. So go carefully.

It's all lots more trouble that the cryptoloop solution, and no more secure. Apparently, though, it's the future for some reason. Friend of Bart