Sophie

Sophie

distrib > Mageia > 5 > x86_64 > media > core-updates > by-pkgid > f44480d38d6dc9a1a7b288003752c85f > files > 16

cryptmount-5.0-4.1.mga5.x86_64.rpm

	cryptmount usage of the OpenSSL cryptographic library

			RW Penney, July 2007

Introduction
============

Since the earliest versions of cryptmount, the package has benefited enormously from the availability of the OpenSSL cryptographic library. This library has provided a secure means of storing filesystem access keys. Moreover, this has provided compatibility with the 'openssl' command-line tool, allowing cryptmount keys to be manipulated outside cryptmount.

Since mid-2006, cryptmount has added support for access-keys protected via the GNU/libgcrypt library, and more recently has directly incorporated implementations of the Blowfish & SHA1 cryptographic algorithms.

Despite the power offered by the OpenSSL library, the licencing position of cryptmount is made more complicated by using the OpenSSL library within an application released under the GNU General Public License (GPL2). Although the advice published at http://www.openssl.org/support/faq.html#LEGAL2 recognizes this as accepted "on many systems including the major Linux and BSD distributions", this position is open to disagreement.

In order to clarify the licencing position of cryptmount, a decision has been taken to REMOVE SUPPORT FOR USING THE OpenSSL LIBRARY from cryptmount-3.0 and subsequent releases. Naturally, this decision has been taken with regret, while greatly respecting the considerable role the OpenSSL library has played in cryptmount's evolution.


Migration plans
===============

In order to minimize the impact of removing support for the OpenSSL library, additional functionality is being added elsewhere within cryptmount starting with release 2.1:

  * Support for OpenSSL file-formats via the libgcrypt library

  * A new '--reuse-key' option for translating between key-formats

It is expected that the OpenSSL compatibility layer provided via the libgcrypt library will allow the majority of cryptmount users who are already using OpenSSL key-files to migrate transparently to using libgcrypt in place of the OpenSSL library. There are, however, some differences between the functionality offered by these two libraries that may cause difficulties for a small minority of users who have chosen certain cipher/digest options within OpenSSL.

In cases where it is necessary to change from an existing OpenSSL key-file to another key-format supported by cryptmount without recreating the associated encrypted filesystem, the '--reuse-key' option can be used by the system-administrator to preserve the same access key, but within a different file-format.
In outline, for an existing crypmount target called 'OLD_TARGET', this will involve the following steps:
  - Ensuring you have available a version of cryptmount (e.g. 2.1, 2.2)
    which supports all the keyformats used by your existing
    encrypted filesystems
  - Creating a new cryptmount target in the cmtab, using the same parameters
    as OLD_TARGET, but with a different target-name ('NEW_TARGET'),
    a new key-filename & different keyformat (e.g. 'libgcrypt')
  - Using 'cryptmount --reuse-key OLD_TARGET NEW_TARGET'
    to migrate the key from OLD_TARGET to NEW_TARGET
  - Confirming that 'cryptmount NEW_TARGET' allows the old filesystem
    to be mounted correctly
  - Removing the OLD_TARGET entry within the cmtab

A third option involves using the command-line 'openssl' program to extract an existing access-key and then re-encrypt it, again using 'openssl', to use a cipher & message-digest (e.g. aes-256-cbc & sha1) that are suppored by cryptmount's libgcrypt compatibility layer.


OpenSSL key-format support via libgcrypt
========================================

If cryptmount is configured with the '--with-libgcrypt' option, a compatibility layer is provided for reading keys stored within files created by the OpenSSL library and 'openssl' command-line application. This compatibility-layer can be associated with any cryptmount filesystem by using 'keyformat=openssl-compat' as part of the filesystem's entry within the cmtab (see 'man 5 cmtab').

The following cipher & digest algorithm options within OpenSSL are known to work transparently with this compatibility layer:
    aes128, aes-128-cbc, aes192, aes192-cbc, aes-192-ecb, aes256, aes-256-cbc
    bf, bf-cbc, blowfish
    cast, cast5
    des
    md4, md5, sha1, rmd160

The following cipher & digest algorithm options within OpenSSL are known to cause problems with the compatibility layer:
    *-cfb			(Ciphers operated in cipher-feedback mode
    				do not appear to operate consistently.)
    rc2 rc2-* rc4 rc4-*		(These ciphers are not supported by libgcrypt)
    md2				(This digest is not supported by libgcrypt)
    sha				(This digest is not supported by libgcrypt)

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional