OpenSSL bf-cbc encrypted Keyfile HOOK for LUKS

Similar Messages

• LVM+LUKS+GPG-encrypted keyfile?

  Hello everyone!
  I'm coming from Gentoo (just can't handle the compiling-without-distcc anymore!), where I had an LVM+LUKS+GPG-encrypted keyfile setup for my root partition, and would like to continue that with Arch here.
  I know with LUKS you can append keys/passwords, so I just went ahead with the "password" install method that was well documented. 
  Is there any current easy-method for going about the route I'm looking for?  I've been searching around and mostly finding "it can be done" but not necessarily how to do it.   Would anyone have any information for me on this? 
  Thanks in advance!

  The best info on LVM2/Luks I have found so far:
  http://sunoano.name/ws/public_xhtml/lvm.html
  http://sunoano.name/ws/public_xhtml/dm-crypt_luks.html

• Luks encrypted key file as key for luks partition (two-factor auth)

  I'm trying to implement "two-factor" authentication (possession of a keyfile and knowledge of a passphrase required) using dm-crypt in order to open an encrypted root filesystem. In the past I used gpg and later openssl to decrypt a keyfile using a passphrase, which then was used by cryptsetup using --key-file to decrypt the actual data device. I'd like to ditch gpg/openssl and use only cryptsetup.
  So the idea is to create a luksFormatted key file (loop device) which, when opened using a passphrase, will be used as the key (using --key-file) to open a luksFormatted hard drive partition.
  To illustrate:
  # create and luksFormat the key container file
  dd if=/dev/urandom of=key_container bs=1M count=4
  cryptsetup luksFormat key_container
  # open the container and create a random "key" by directly writing pseudo random data to it
  cryptsetup luksOpen key_container key_device
  dd if=/dev/urandom of=/dev/mapper/key_device
  # luksFormat the data device using the random data from the luks key device
  cryptsetup -d /dev/mapper/key luksFormat /dev/sda1
  # later, to open /dev/sda1
  cryptsetup -d /dev/mapper/key_device luksOpen /dev/sda1 encryptedfs
  My questions:
  1. Is this a valid approach or am I making a mistake/do you see a problem somewhere?
  2. How much data from the loop device will cryptsetup use as key to format/open the data device? Everything? Is there a limit?
  3. Is there a difference between doing a
  cat /dev/mapper/key | cryptsetup -d -
  and
  cryptsetup -d /dev/mapper/key?
  3. Assuming that the answer to 1 is "no mistake/problem" and 2 is "everything there is" or even "the first x bytes", is it possible that  the actual contents of the loop device may change in the future because of different loop device implementations or somethings else I didn't think of? I'd like  to avoid bad surprises in the future..
  4. What would you recommend as size for the key container file, knowing that the luks header requires some space too?
  Any feedback appreciated.
  Cheers,
  fabriceb

  I do the same ( https://wiki.gentoo.org/wiki/Custom_Ini … ed_Keyfile ).
  --key-file=- should be equivalent, but it's meant for grabbing a key from gpg output or whatever; since you can specify it directly here, no need to involve anything else like cat etc.
  without --key-file=- it would stop reading at newlines or something. this behaviour is quite dangerous as it may cause people who believe they're using a long random key, to use only a very short (or even empty) key instead. one way to avoid such ambiguousness is to make sure there are no newline bytes in your keyfile, so it would use the whole thing in either interpretation.
  as for the key length, a key is essentially a passphrase. So it does not have to be very long at all; 8 truly random bytes would require up to 256^8 tries to break after all and with LUKS, each try takes ~1 second per physical CPU... but the smallest unit that LUKS allows is 512 bytes (1 sector) so you could just as well use the whole thing. If you use 4096 bytes, you're confusing bytes with bits somewhere... and as for bits, even 128bit AES is still considered secure...
  You could save some bytes in the initrd.gz if you initialize the container file with zeroes instead of random, so it can be compressed. The key will still be random as the random cipher key will turn the zeroes to something else after all...

• How to disable AES CBC encryption on ASA 5545

  Hi ,
  In our environment  having ASA 5545 ( IOS Ver 9.1) Firewall and In there AES 256 CBC cipher encryption is enabled for SSH user access.
  we need to disable CBC cipher encryption and enable the CTR Cipher encryption for SSH users.
  Kindly help me for the same .
  Thanks,
  Dheeraj

  AES256-ctr was just added in ASA software version 9.1(2). I don't believe the ssh encryption type is configurable in the ASA ssh server. You need to specify it in the client - I did verify it will connect when yo do that (see output below).
  SSL encyption ciphers can be specified to exclude the weak ciphersuites.
  # sh ssh session det
  SSH Session ID          : 1
   Client IP              : <deleted>
   Username               : <deleted>
   SSH Version            : 2.0
   State                  : SessionStarted
   Inbound Statistics
    Encryption            : aes256-ctr
    HMAC                  : sha1
    Bytes Received        : 1824
   Outbound Statistics
    Encryption            : aes256-ctr
    HMAC                  : sha1
    Bytes Transmitted     : 5632
   Rekey Information
    Time Remaining (sec)  : 3277
    Data Remaining (bytes): 996142580
    Last Rekey            : 07:12:38.807 UTC Tue May 20 2014
    Data-Based Rekeys     : 0
    Time-Based Rekeys     : 0

• How do I encrypt an archive for a PC user?

  I can't find a way to encrypt an archive for a PC user. There doesn't seem to be an option when making an archive from the Finder. I also tried making an encrypted disk image with Disk Utility but the PC can't open the DMG filetype apparently.
  In the reverse, the same problem exists if I try to open a zip file encrypted on a PC - can't be done.
  When I do a Google search the results for encrypted archive usually point to Stuffit Deluxe or encrypted disk images that you can use on your mac or another Mac.
  Does anyone know how to make/use encrypted archives that are cross platform? I'd like to avoid buying a program (i.e. Stuffit Deluxe) just for this one utilitarian task. Thanks.
  Message was edited by: Marlinespike

  Thanks, Dave.
  I tried the command you gave me. It worked! I could open the zipped archive on my neighbor's PC.
  The only weird things, are that it seems to zip all the other folders, e.g. users\Marlinespike\desktop\target-file, in the filepath and not just the target file, and that it also drops the zipped archive in the home folder.
  I tried adding some of the other commands, such as zip -e -r or zip -er or zip -e -d but it doesn't seem to work. However, this is a huge improvement over where I was earlier.
  I clicked through those links - I forgot about Mac GNU Privacy and am going to check those out too.

• Third party encryption plug-in for a pdf form.

  We are looking for an Adobe approved third party encryption plug-in for a pdf form. 256 bit, assymetric, two key, one public (embedded in form) and one private (accessible only to our organisation

  I don't know that is a huge number of alternatives for Fractal plugins.  You'll no doubt come across links for Fractalius and Genuine Fractals, but the first produces interesting strand like effects (after a very long wait) and the second is an image resize plugine which now belongs to On One, and is sold as Perfect Resize.  And even that has been made irrelevant by the Preserve Details upres option in CC.
  You are alos wize to be careful.  Previous trusable sites like cnet on softonic are a nightmare nowdays, and too many of the free apps you find on them come loaded with malware.  Some of it _serious_ malware DAMHIKIJKOK
  But have a look at Fractal Explorer.  I don't have experience with it, but it comes with the Pixel Bender name behind it, which is like a badge of excellence.
  http://www.subblue.com/projects/fractal_explorer

• USER Hook for Changer Manager function

  Dear All,
  I need to know that is there any user hook for Manager Self Service -- Change Manager function for employee.
  If yes then please give me the module name/id for the user hook.
  If no then how can I set custom validations on this page.
  Regards.

  You should look for the update assignment api.
  select * from hr_api_modules
  where module_name like '%UPDATE%ASG%'
  Depending on the legislation, you will have different modules/packages/procedures.

• API User Hook for Restricting Category Creation in a sepcific catalog

  Q: API User Hook for Restricting Category Creation in a sepcific catalog by a specific responsibility. I want to capture GO button process event?
  Hi All,
  Can anyone help me if anyone have used user hook for OLM? My requirement is to restrict course creation for the specific category... when we select category and select course and click on go button which process is calling? How can we identify the BP Package and Procedure name of that GO button?
  urgent reply shall be a great help.
  thank you.
  Regards,
  AD

  OK, I just tried to insert an element entry from the API and it works perfectly
  The problem seems to be coming from the form. Is the form not using an API?
  If this is the case, should I do a personalization and run a PL/SQL procedure each time a change is made?

• Java encryption/decryption coding for database records

  i need some help in developing a source code in java that can encrypt and decrypt database records in Oracle 9i and MYsQL.
  urgent help needed!

  its a grade report system, where i put in the college id and a course id as the password. to retreve the grade from the database. The user IDs and grades have to be encrypted before requesting for the grades.This database stores for each student the user ID, the course ID, name and grades.The grades from the database are encrypted before being sent to the user.

• Cannot save service hook for Slack (Database error when saving)

  When trying to set up a service hook for Slack, saving the new service hook fails at the end of the process.
  The Message is
  "Cannos ave the value NULL into column 'ActionDescription', table 'ServiceHooks_...........hooks.tbl_Subscription'; column does not allow nulls, INSERT fails"
  The whole setup wizard runs fine and also the test before saving succeeds (the test message appears in the correct slack channel). There is no field left blank during the setup of the service hook, I cannot see any "Action description" that I may
  have left blank.
  Any ideas?

  Hi,
  did yo urun an authorization trace ?
  does it always happen with the same SAP user credentials ?
  does it always happen with the same report ?
  Ingo

• Network security: Configure encryption types allowed for Kerberos-Windows 2008

  If below setting has been enabled in domain policy on Windows 2008 R2 DC ; what is the effect on Windows 2008 Member server . that seeting is not present in Windows 2008.
  Network security: Configure encryption types allowed for Kerberos:
  Please advice & if possible please provide more info.
  AliahMurfy

  Hi,
  I found some related information is some type of the encrypt not supported on the server 2008, such as AES128_HMAC_SHA1.
  More detail information please refer the following KB:
  Network security: Configure encryption types allowed for Kerberos
  http://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Mkinitcpio-nfs-utils hook for net without wireless

  Is there a way to make a net hook for diskless clients without including wireless?  Make one called net-nowireless or something like that.  If my diskless client has a wireless card, I'd have to go into emergency shell to connect the wireless network device to a wireless network if it would even let me do that.  Otherwise, I have to blacklist any perceivable wireless module and include it in my mkinitcpio.conf.  Some wireless devices can be canned just by not including the firmware.  Anyways, my diskless client hangs on the wireless deadlock when initializing network interfaces.  It would also probably remove firmware messages and make the initramfs-linux.img smaller.  The PXE clients can only boot from the hardwired ethernet clients for now.
  Doing a mkinitcpio -L doesn't even list the net hook, but mkinitcpio -H net shows the details.
  Last edited by nomorewindows (2013-10-05 12:22:32)

  Lone_Wolf wrote:
  It does look like the hook tries to connect using all autodetected network devices, regardless of number and type of devices.
  While it may be possible to differentiate between wired and wireless devices, that will still give issues if there are multiple wired/wireless devices.
  Maybe a configuration file could be added that specifies which devices nfs should use.
  If there's no config file present in the initramfs, it should just default to all detected devices as it does now.
  Although I haven't tried it this way, it makes sense because that's what it does with the wireless, which just has the unresolvable problem, whereas dual ethernet or more, as long as it satisfies getting an address via dhcp, can probably still boot.  Maybe this is the reason why OpenBSD is still anal about using stateful routines through rarpd and bootparamd.  I've tried to boot OpenBSD under Arch, using rarp, but I guess it doesn't answer satisfactory to OpenBSD's diskless request.  The purpose of stateless is to boot anybody.  Various options can be set in pxelinux.cfg based on MAC address, but maybe these aren't known ahead of time to boot a customized initramfs-linux.img. 
  The real boon was to turn on a dumb-terminal and as soon as it came on, the login prompt was present.  This was probably a function of getty.

• WARNING POST: New Windows 10 scam will encrypt your files for ransom

  This is not Lenovo specific but a Windows 10 exploit going around hitting upgraders as I read it. None the less it is clear one must be careful in what they run and are downloading during the process. I am not clear where this is coming from (email, website etc) but be very careful for most ti will be a bad experience if you are a victime. http://www.zdnet.com/article/windows-10-scam-email-will-encrypt-your-files-for-ransom/?tag=nl.e539&s_cid=e539&ttag=e539&ftag=TRE17cfd61 

  Which computer? There is a label on the bottom.
  Try an older version of the driver for your model.
     Touchpad stopped working
  -Jerry

• Creating API User Hooks for Saudi HRMS

  Dear All,
  I want to create API User hooks for Person Extra Information Type,Any one could help me.
  Thanks and regards,

  If you want to learn how a user hook works, you can check the metalink note 73170.1. Or you can visit the following link.This guy has given the whole content in his blog.
  http://shrigupta.blogspot.com/2010/06/understanding-and-using-api-user-hooks.html
  Hope this helps.

• Can't mkinitcpio with "nouveau" hook for early start of KMS

  Hello Everyone,
  My first message on this board! But I'm using Arch for two years now.
  I have a problem with KMS:
  I try to start early KMS with the nouveau driver in order to have a nice plymouth-ed boot.
  I followed the wiki : https://wiki.archlinux.org/index.php/No … arly_start
  But mkinitcpio says that there is no hook for "nouveau" in /lib/initcpio/hook...
  I have the last version of xf86-video-nouveau and nouveau-dri.
  Have someone had the same problem?
  How can I manage to make an initframfs with nouveau module?
  Thank you!
  David

  Read the wiki page again. Nouveau is a module, not a hook, and belongs in the MODULES array.
  edit: Note to self: reload before posting.
  Last edited by Stebalien (2011-04-13 13:33:22)