WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] use of encrypted filesystem

from [Anand Gupta] [Permanent Link][Original]
To: mark.williamson@xxxxxxxxxxxx
Subject: Re: [Xen-users] use of encrypted filesystem
From: "Anand Gupta" <xen.mails@xxxxxxxxx>
Date: Thu, 28 Dec 2006 16:01:20 +0530
Cc: Xen Users <Xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Thu, 28 Dec 2006 02:31:16 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=dD/zO8Aiby4ZB+jUoXsPd9jd1f6JBHmtdUaeZHWFgj8IJsdpGJ6nD7lQiEtLxsjbvHcAwknC2FnQlmelH2WJPBrQ8FuapImHqcTsCzgG7kn2w+7m9W6+NX3/QsN4+jlURflKnCh3djMeFQunF6uDQGkFZlnj0GLKCLjCeDbIAaQ=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <Prayer.1.0.18.0612280217130.19018@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <acb757c00612271252s2d4b0d91q1bfe6ac69c295140@xxxxxxxxxxxxxx> <Prayer.1.0.18.0612280217130.19018@xxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Dear Mark,

Thanks for the response and detailed explanation.

I checked in the kernel and i have the dm-crypt compiled as a module. I can load the module using modprobe dm-crypt and it shows up in lsmod.

Now when i try to use losetup again, here is what i get

losetup -e dm-crypt /dev/loop0 /dev/sda2
Password:
ioctl: LOOP_SET_STATUS: Invalid argument

The error "Invalid argument"  is what is causing the problem and i can't seem to find why its doing so.

Here is the list of modules loaded

lsmod

Module                  Size  Used by
dm_crypt               14480  0
des                    20992  0
aes                    31808  0
twofish                43136  0
ipv6                  260096  14
binfmt_misc            13708  1
dm_mod                 53328  1 dm_crypt
ide_generic             5504  0 [permanent]
aacraid                58880  0
ext3                  122256  1
jbd                    58664  1 ext3
raid1                  22400  0
ide_disk               17280  0
ata_piix               14852  0
libata                 61720  1 ata_piix
sd_mod                 19712  0
scsi_mod              140816  3 aacraid,libata,sd_mod

I am sure there would be some stupid mistake because of which this is not working.

I will appreciate if you can help me sort this.

On 28 Dec 2006 02:17:13 +0000, M.A. Williamson <maw48@xxxxxxxxx> wrote:

You should be able to use cryptoloop or dm-crypt. The latter device-mapper
based solution is the recommended alternative these days. These both give
you an encrypted block device on which to run your filesystem.

eCryptfs isn't available in the XenLinux we currently have. However, it's
being merged into future releases of the mainline kernel, so it'll filter
down to XenLinux at some stage. eCryptfs allows you to encrypt files on an
individual basis, so is rather different to use than the above solutions -
it may be more or less useful, depending on your objectives.

anyhow, we'll talk about cryptoloop and dm-crypt for now, since these are
the ones that are going to be most straightforward to use.

>I also found about cryptoloop, however when i try to use it inside domU, it
>gives me an error
>
>losetup -e cryptoloop /dev/loop0 /dev/sda2
>Password:
>ioctl: LOOP_SET_STATUS: Invalid argument
>
>I also tried various combinations
>
>losetup -e des /dev/loop0 /dev/sda2
>losetup -e aes128 /dev/loop0 /dev/sda2
>losetup -e aes-256 /dev/loop0 /dev/sda2
>
>However all the above result in the same error.
>
>How should i setup the encrypted fs ? Any help would be appreciated.

You don't need to patch your XenLinux kernel if you want to use Cryptoloop
or dm-crypt. However, you'll need to recompile it.

Reconfigure your kernel to include support for cryptoloop (you can find
this in make menuconfig under the menu: Device Drivers / Block devices /
Loopback device support / Cryptoloop support) or dm-crypt (you can find
this in make menuconfig under the menu: Device Drivers / Multi Device
Support (RAID and LVM) / Device Mapper Support / Crypt target support).

You might as well enable both then you can play around with them. You may
find that once you've compiled support in, the howtos you were following
will Just Work(TM). You may need to install packages for your distro in
order to use dm-crypt.

Note that cryptoloop does have known security vulnerabilities, which is why
dm-crypt is now recommended.

If you have any problems, follow up to this e-mail.

Cheers,
Mark



--
regards,

Anand Gupta 
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Error: Kernel image does not exist: /usr/lib/xen/boot/hvmloader, Anand Gupta
Next by Date:  [Xen-users] Re: Xen and SELinux, Bill Davidsen
Previous by Thread:  Re: [Xen-users] use of encrypted filesystem, M.A. Williamson
Next by Thread:  Re: [Xen-users] use of encrypted filesystem, M.A. Williamson
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy