documentation improvements for kdf and dm-crypt cipher choice

2024-06-20 02:52:39 +00:00 · 2016-01-09 10:16:42 +01:00 · 2016-01-09 10:16:42 +01:00 · 8f0b2943ce
commit 8f0b2943ce
parent a08cb6e0de
2 changed files with 16 additions and 7 deletions
--- a/doc/tomb.1
+++ b/doc/tomb.1
@ -57,6 +57,8 @@ knowing its password. As in any other command requiring a key, the
 option \fI-k\fR should be used to specify a key file. The \fI-o\fR
 option can be used to specify the cipher specification: default is
 "aes-xts-plain64:sha256", old versions of Tomb used "aes-cbc-essiv:sha256".
+If you are looking for something exotic, also try "serpent-xts-plain64".
+More options may be found in cryptsetup(8) and Linux documentation.
 This operation requires root privileges to loopback mount, format the tomb (using
 LUKS and Ext4), then set the key in its first LUKS slot.

@ -135,7 +137,7 @@ key and the second and last argument the tomb file.
 Increase the size of a tomb file to the amount specified by the
 \fI-s\fR option, which is the new size in megabytes (MiB). Full access to the tomb using
 a key (\fI-k\fR) and its password is required. Tombs can only grow and
-can never be made smaller. This command makes use of the cryptsetup
+can never be made smaller. This command makes use of the cryptsetup(8)
 resize feature and the resize2fs command: its much more practical than
 creating a new tomb and moving everything into it.

--- a/19
+++ b/19
@ -969,6 +969,7 @@ get_lukskey() {
                kdf_salt="${firstline[(ws:_:)3]}"
                kdf_ic="${firstline[(ws:_:)4]}"
                kdf_len="${firstline[(ws:_:)5]}"
+                _message "Unlocking KDF key protection ($kdf_hash)"
                _verbose "KDF salt: $kdf_salt"
                _verbose "KDF ic: $kdf_ic"
                _verbose "KDF len: $kdf_len"
@ -1147,7 +1148,9 @@ gen_key() {
            if [[ "$itertime" != <-> ]]; then
                unset tombpass
                unset tombpasstmp
-                _failure "Wrong argument for --kdf: must be an integer number (iteration seconds)."
+                _error "Wrong argument for --kdf: must be an integer number (iteration seconds)."
+                _error "Depending on the speed of machines using this tomb, use 1 to 10, or more"
+                return 1
            fi
            # --kdf takes one parameter: iter time (on present machine) in seconds
            local -i microseconds
@ -1441,7 +1444,7 @@ forge_key() {
    [[ -z "$destkey" ]] && {
        _failure "A filename needs to be specified using -k to forge a new key." }

-    _message "Commanded to forge key ::1 key::" $destkey
+#    _message "Commanded to forge key ::1 key::" $destkey

    _check_swap # Ensure the available memory is safe to use

@ -1468,12 +1471,16 @@ forge_key() {
    _message "Commanded to forge key ::1 key:: with cipher algorithm ::2 algorithm::" \
        $destkey $algo

+    [[ $KDF == 1 ]] && {
+        _message "Using KDF to protect the key password (`option_value --kdf` rounds)"
+    }
+
    TOMBKEYFILE="$destkey"    # Set global variable

-    _message "This operation takes time, keep using this computer on other tasks,"
-    _message "once done you will be asked to choose a password for your tomb."
-    _message "To make it faster you can move the mouse around."
-    _message "If you are on a server, you can use an Entropy Generation Daemon."
+    _warning "This operation takes time, keep using this computer on other tasks,"
+    _warning "once done you will be asked to choose a password for your tomb."
+    _warning "To make it faster you can move the mouse around."
+    _warning "If you are on a server, you can use an Entropy Generation Daemon."

    # Use /dev/random as the entropy source, unless --use-urandom is specified
    local random_source=/dev/random