itdocumentation improvements for kdf and dm-crypt cipher choice - tomb - the crypto undertaker Err parazyd.org 70 hgit clone git://parazyd.org/tomb.git URL:git://parazyd.org/tomb.git parazyd.org 70 1Log /git/tomb/log.gph parazyd.org 70 1Files /git/tomb/files.gph parazyd.org 70 1Refs /git/tomb/refs.gph parazyd.org 70 1README /git/tomb/file/README.md.gph parazyd.org 70 1LICENSE /git/tomb/file/COPYING.gph parazyd.org 70 i--- Err parazyd.org 70 1commit 8f0b2943ce69c8960740564bff08cb3cea6d5f5e /git/tomb/commit/8f0b2943ce69c8960740564bff08cb3cea6d5f5e.gph parazyd.org 70 1parent a08cb6e0def4361ea97350d5f5b16e2f3b8bc089 /git/tomb/commit/a08cb6e0def4361ea97350d5f5b16e2f3b8bc089.gph parazyd.org 70 hAuthor: Jaromil URL:mailto:jaromil@dyne.org parazyd.org 70 iDate: Sat, 9 Jan 2016 10:16:42 +0100 Err parazyd.org 70 i Err parazyd.org 70 idocumentation improvements for kdf and dm-crypt cipher choice Err parazyd.org 70 i Err parazyd.org 70 iDiffstat: Err parazyd.org 70 i M doc/tomb.1 | 4 +++- Err parazyd.org 70 i M tomb | 19 +++++++++++++------ Err parazyd.org 70 i Err parazyd.org 70 i2 files changed, 16 insertions(+), 7 deletions(-) Err parazyd.org 70 i--- Err parazyd.org 70 1diff --git a/doc/tomb.1 b/doc/tomb.1 /git/tomb/file/doc/tomb.1.gph parazyd.org 70 it@@ -57,6 +57,8 @@ knowing its password. As in any other command requiring a key, the Err parazyd.org 70 i option \fI-k\fR should be used to specify a key file. The \fI-o\fR Err parazyd.org 70 i option can be used to specify the cipher specification: default is Err parazyd.org 70 i "aes-xts-plain64:sha256", old versions of Tomb used "aes-cbc-essiv:sha256". Err parazyd.org 70 i+If you are looking for something exotic, also try "serpent-xts-plain64". Err parazyd.org 70 i+More options may be found in cryptsetup(8) and Linux documentation. Err parazyd.org 70 i This operation requires root privileges to loopback mount, format the tomb (using Err parazyd.org 70 i LUKS and Ext4), then set the key in its first LUKS slot. Err parazyd.org 70 i Err parazyd.org 70 it@@ -135,7 +137,7 @@ key and the second and last argument the tomb file. Err parazyd.org 70 i Increase the size of a tomb file to the amount specified by the Err parazyd.org 70 i \fI-s\fR option, which is the new size in megabytes (MiB). Full access to the tomb using Err parazyd.org 70 i a key (\fI-k\fR) and its password is required. Tombs can only grow and Err parazyd.org 70 i-can never be made smaller. This command makes use of the cryptsetup Err parazyd.org 70 i+can never be made smaller. This command makes use of the cryptsetup(8) Err parazyd.org 70 i resize feature and the resize2fs command: its much more practical than Err parazyd.org 70 i creating a new tomb and moving everything into it. Err parazyd.org 70 i Err parazyd.org 70 1diff --git a/tomb b/tomb /git/tomb/file/tomb.gph parazyd.org 70 it@@ -969,6 +969,7 @@ get_lukskey() { Err parazyd.org 70 i kdf_salt="${firstline[(ws:_:)3]}" Err parazyd.org 70 i kdf_ic="${firstline[(ws:_:)4]}" Err parazyd.org 70 i kdf_len="${firstline[(ws:_:)5]}" Err parazyd.org 70 i+ _message "Unlocking KDF key protection ($kdf_hash)" Err parazyd.org 70 i _verbose "KDF salt: $kdf_salt" Err parazyd.org 70 i _verbose "KDF ic: $kdf_ic" Err parazyd.org 70 i _verbose "KDF len: $kdf_len" Err parazyd.org 70 it@@ -1147,7 +1148,9 @@ gen_key() { Err parazyd.org 70 i if [[ "$itertime" != <-> ]]; then Err parazyd.org 70 i unset tombpass Err parazyd.org 70 i unset tombpasstmp Err parazyd.org 70 i- _failure "Wrong argument for --kdf: must be an integer number (iteration seconds)." Err parazyd.org 70 i+ _error "Wrong argument for --kdf: must be an integer number (iteration seconds)." Err parazyd.org 70 i+ _error "Depending on the speed of machines using this tomb, use 1 to 10, or more" Err parazyd.org 70 i+ return 1 Err parazyd.org 70 i fi Err parazyd.org 70 i # --kdf takes one parameter: iter time (on present machine) in seconds Err parazyd.org 70 i local -i microseconds Err parazyd.org 70 it@@ -1441,7 +1444,7 @@ forge_key() { Err parazyd.org 70 i [[ -z "$destkey" ]] && { Err parazyd.org 70 i _failure "A filename needs to be specified using -k to forge a new key." } Err parazyd.org 70 i Err parazyd.org 70 i- _message "Commanded to forge key ::1 key::" $destkey Err parazyd.org 70 i+# _message "Commanded to forge key ::1 key::" $destkey Err parazyd.org 70 i Err parazyd.org 70 i _check_swap # Ensure the available memory is safe to use Err parazyd.org 70 i Err parazyd.org 70 it@@ -1468,12 +1471,16 @@ forge_key() { Err parazyd.org 70 i _message "Commanded to forge key ::1 key:: with cipher algorithm ::2 algorithm::" \ Err parazyd.org 70 i $destkey $algo Err parazyd.org 70 i Err parazyd.org 70 i+ [[ $KDF == 1 ]] && { Err parazyd.org 70 i+ _message "Using KDF to protect the key password (`option_value --kdf` rounds)" Err parazyd.org 70 i+ } Err parazyd.org 70 i+ Err parazyd.org 70 i TOMBKEYFILE="$destkey" # Set global variable Err parazyd.org 70 i Err parazyd.org 70 i- _message "This operation takes time, keep using this computer on other tasks," Err parazyd.org 70 i- _message "once done you will be asked to choose a password for your tomb." Err parazyd.org 70 i- _message "To make it faster you can move the mouse around." Err parazyd.org 70 i- _message "If you are on a server, you can use an Entropy Generation Daemon." Err parazyd.org 70 i+ _warning "This operation takes time, keep using this computer on other tasks," Err parazyd.org 70 i+ _warning "once done you will be asked to choose a password for your tomb." Err parazyd.org 70 i+ _warning "To make it faster you can move the mouse around." Err parazyd.org 70 i+ _warning "If you are on a server, you can use an Entropy Generation Daemon." Err parazyd.org 70 i Err parazyd.org 70 i # Use /dev/random as the entropy source, unless --use-urandom is specified Err parazyd.org 70 i local random_source=/dev/random Err parazyd.org 70 .