documentation improvements for kdf and dm-crypt cipher choice

This commit is contained in:
Jaromil 2016-01-09 10:16:42 +01:00
parent a08cb6e0de
commit 8f0b2943ce
2 changed files with 16 additions and 7 deletions

View File

@ -57,6 +57,8 @@ knowing its password. As in any other command requiring a key, the
option \fI-k\fR should be used to specify a key file. The \fI-o\fR option \fI-k\fR should be used to specify a key file. The \fI-o\fR
option can be used to specify the cipher specification: default is option can be used to specify the cipher specification: default is
"aes-xts-plain64:sha256", old versions of Tomb used "aes-cbc-essiv:sha256". "aes-xts-plain64:sha256", old versions of Tomb used "aes-cbc-essiv:sha256".
If you are looking for something exotic, also try "serpent-xts-plain64".
More options may be found in cryptsetup(8) and Linux documentation.
This operation requires root privileges to loopback mount, format the tomb (using This operation requires root privileges to loopback mount, format the tomb (using
LUKS and Ext4), then set the key in its first LUKS slot. LUKS and Ext4), then set the key in its first LUKS slot.
@ -135,7 +137,7 @@ key and the second and last argument the tomb file.
Increase the size of a tomb file to the amount specified by the Increase the size of a tomb file to the amount specified by the
\fI-s\fR option, which is the new size in megabytes (MiB). Full access to the tomb using \fI-s\fR option, which is the new size in megabytes (MiB). Full access to the tomb using
a key (\fI-k\fR) and its password is required. Tombs can only grow and a key (\fI-k\fR) and its password is required. Tombs can only grow and
can never be made smaller. This command makes use of the cryptsetup can never be made smaller. This command makes use of the cryptsetup(8)
resize feature and the resize2fs command: its much more practical than resize feature and the resize2fs command: its much more practical than
creating a new tomb and moving everything into it. creating a new tomb and moving everything into it.

19
tomb
View File

@ -969,6 +969,7 @@ get_lukskey() {
kdf_salt="${firstline[(ws:_:)3]}" kdf_salt="${firstline[(ws:_:)3]}"
kdf_ic="${firstline[(ws:_:)4]}" kdf_ic="${firstline[(ws:_:)4]}"
kdf_len="${firstline[(ws:_:)5]}" kdf_len="${firstline[(ws:_:)5]}"
_message "Unlocking KDF key protection ($kdf_hash)"
_verbose "KDF salt: $kdf_salt" _verbose "KDF salt: $kdf_salt"
_verbose "KDF ic: $kdf_ic" _verbose "KDF ic: $kdf_ic"
_verbose "KDF len: $kdf_len" _verbose "KDF len: $kdf_len"
@ -1147,7 +1148,9 @@ gen_key() {
if [[ "$itertime" != <-> ]]; then if [[ "$itertime" != <-> ]]; then
unset tombpass unset tombpass
unset tombpasstmp unset tombpasstmp
_failure "Wrong argument for --kdf: must be an integer number (iteration seconds)." _error "Wrong argument for --kdf: must be an integer number (iteration seconds)."
_error "Depending on the speed of machines using this tomb, use 1 to 10, or more"
return 1
fi fi
# --kdf takes one parameter: iter time (on present machine) in seconds # --kdf takes one parameter: iter time (on present machine) in seconds
local -i microseconds local -i microseconds
@ -1441,7 +1444,7 @@ forge_key() {
[[ -z "$destkey" ]] && { [[ -z "$destkey" ]] && {
_failure "A filename needs to be specified using -k to forge a new key." } _failure "A filename needs to be specified using -k to forge a new key." }
_message "Commanded to forge key ::1 key::" $destkey # _message "Commanded to forge key ::1 key::" $destkey
_check_swap # Ensure the available memory is safe to use _check_swap # Ensure the available memory is safe to use
@ -1468,12 +1471,16 @@ forge_key() {
_message "Commanded to forge key ::1 key:: with cipher algorithm ::2 algorithm::" \ _message "Commanded to forge key ::1 key:: with cipher algorithm ::2 algorithm::" \
$destkey $algo $destkey $algo
[[ $KDF == 1 ]] && {
_message "Using KDF to protect the key password (`option_value --kdf` rounds)"
}
TOMBKEYFILE="$destkey" # Set global variable TOMBKEYFILE="$destkey" # Set global variable
_message "This operation takes time, keep using this computer on other tasks," _warning "This operation takes time, keep using this computer on other tasks,"
_message "once done you will be asked to choose a password for your tomb." _warning "once done you will be asked to choose a password for your tomb."
_message "To make it faster you can move the mouse around." _warning "To make it faster you can move the mouse around."
_message "If you are on a server, you can use an Entropy Generation Daemon." _warning "If you are on a server, you can use an Entropy Generation Daemon."
# Use /dev/random as the entropy source, unless --use-urandom is specified # Use /dev/random as the entropy source, unless --use-urandom is specified
local random_source=/dev/random local random_source=/dev/random