search

eternaltyro / cryptsetup

Since Google code is shuttering...
http://code.google.com/p/cryptsetup
GNU General Public License v2.0
0 stars 0 forks source link

cannot mount multiple tcrypt-system partitions #183

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. use cryptsetup to map tcrypt-system device
2. device gets mapped to /dev/mapper/...
   - only the device is mapped, and not the device partitions

3. can only mount the first partition on the mapped device

What is the expected output? 

Expected is to have a way to map multiple tcrypt-system encrypted 
partitions that are on the same device. 

What do you see instead?

Only the device is mapped which makes it impossible to mount any partition
other than the first one.

What version of the product are you using? On what operating system?
cryptsetup 1.6.2 on fedora 20 x86_64 

Please provide any additional information below.

TL;DR;

I think the main issue here is that I have one drive which is truecrypt-system 
encrypted , but it has multiple partitions, and cryptsetup doesn't allow me to 
mount 
any other than the first one.

DETAILS

System details and steps to reproduce:

I have one hard drive which has windows installed on it.
It has three partitions (windows names C: D: and E:), all NTFS.
The whole drive is encrypted with truecrypt using system encryption 
mode. Meaning the whole drive is unlocked at boot time. 

On a second hard drive, I have Fedora installed. 
I would like to use cryptsetup to be able to mount the before-mentioned
partitions (the device shows up as /dev/sdb and partitions as /dev/sdb1-3).

Using cryptsetup to map individual partitions (/dev/sdb1) for example fails 
like so (obviously because it needs tcrypt-system param):

cryptsetup open --type tcrypt /dev/sdb1 tcrypt1 --debug
# cryptsetup 1.6.2 processing "cryptsetup open --type tcrypt /dev/sdb1 tcrypt1 
--debug"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device /dev/sdb1 context.
# Trying to open and read device /dev/sdb1.
# Initialising device-mapper backend library.
# Interactive passphrase entry requested.
Enter passphrase: 
# Trying to load TCRYPT crypt type from device /dev/sdb1.
# Crypto backend (gcrypt 1.5.3) initialized.
# Reading TCRYPT header of size 512 bytes from device /dev/sdb1.
# TCRYPT: trying KDF: pbkdf2-ripemd160-2000.
# TCRYPT:  trying cipher aes-xts-plain64
# TCRYPT:  trying cipher serpent-xts-plain64
# TCRYPT:  trying cipher twofish-xts-plain64
# TCRYPT:  trying cipher twofish-aes-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-aes-xts-plain64
# TCRYPT:  trying cipher aes-serpent-xts-plain64
# TCRYPT:  trying cipher aes-twofish-serpent-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-xts-plain64
# TCRYPT:  trying cipher aes-lrw-benbi
# TCRYPT:  trying cipher serpent-lrw-benbi
# TCRYPT:  trying cipher twofish-lrw-benbi
# TCRYPT:  trying cipher twofish-aes-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-aes-lrw-benbi
# TCRYPT:  trying cipher aes-serpent-lrw-benbi
# TCRYPT:  trying cipher aes-twofish-serpent-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-lrw-benbi
# TCRYPT:  trying cipher aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-cbc-tcrypt
# TCRYPT:  trying cipher twofish-cbc-tcrypt
# TCRYPT:  trying cipher twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher aes-serpent-cbci-tcrypt
# TCRYPT:  trying cipher aes-twofish-serpent-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-cbci-tcrypt
# TCRYPT:  trying cipher cast5-cbc-tcrypt
# TCRYPT:  trying cipher des3_ede-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-blowfish_le-aes-cbc-tcrypt
# TCRYPT: trying KDF: pbkdf2-ripemd160-1000.
# TCRYPT:  trying cipher aes-xts-plain64
# TCRYPT:  trying cipher serpent-xts-plain64
# TCRYPT:  trying cipher twofish-xts-plain64
# TCRYPT:  trying cipher twofish-aes-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-aes-xts-plain64
# TCRYPT:  trying cipher aes-serpent-xts-plain64
# TCRYPT:  trying cipher aes-twofish-serpent-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-xts-plain64
# TCRYPT:  trying cipher aes-lrw-benbi
# TCRYPT:  trying cipher serpent-lrw-benbi
# TCRYPT:  trying cipher twofish-lrw-benbi
# TCRYPT:  trying cipher twofish-aes-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-aes-lrw-benbi
# TCRYPT:  trying cipher aes-serpent-lrw-benbi
# TCRYPT:  trying cipher aes-twofish-serpent-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-lrw-benbi
# TCRYPT:  trying cipher aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-cbc-tcrypt
# TCRYPT:  trying cipher twofish-cbc-tcrypt
# TCRYPT:  trying cipher twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher aes-serpent-cbci-tcrypt
# TCRYPT:  trying cipher aes-twofish-serpent-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-cbci-tcrypt
# TCRYPT:  trying cipher cast5-cbc-tcrypt
# TCRYPT:  trying cipher des3_ede-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-blowfish_le-aes-cbc-tcrypt
# TCRYPT: trying KDF: pbkdf2-sha512-1000.
# TCRYPT:  trying cipher aes-xts-plain64
# TCRYPT:  trying cipher serpent-xts-plain64
# TCRYPT:  trying cipher twofish-xts-plain64
# TCRYPT:  trying cipher twofish-aes-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-aes-xts-plain64
# TCRYPT:  trying cipher aes-serpent-xts-plain64
# TCRYPT:  trying cipher aes-twofish-serpent-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-xts-plain64
# TCRYPT:  trying cipher aes-lrw-benbi
# TCRYPT:  trying cipher serpent-lrw-benbi
# TCRYPT:  trying cipher twofish-lrw-benbi
# TCRYPT:  trying cipher twofish-aes-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-aes-lrw-benbi
# TCRYPT:  trying cipher aes-serpent-lrw-benbi
# TCRYPT:  trying cipher aes-twofish-serpent-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-lrw-benbi
# TCRYPT:  trying cipher aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-cbc-tcrypt
# TCRYPT:  trying cipher twofish-cbc-tcrypt
# TCRYPT:  trying cipher twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher aes-serpent-cbci-tcrypt
# TCRYPT:  trying cipher aes-twofish-serpent-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-cbci-tcrypt
# TCRYPT:  trying cipher cast5-cbc-tcrypt
# TCRYPT:  trying cipher des3_ede-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-blowfish_le-aes-cbc-tcrypt
# TCRYPT: trying KDF: pbkdf2-whirlpool-1000.
# TCRYPT:  trying cipher aes-xts-plain64
# TCRYPT:  trying cipher serpent-xts-plain64
# TCRYPT:  trying cipher twofish-xts-plain64
# TCRYPT:  trying cipher twofish-aes-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-aes-xts-plain64
# TCRYPT:  trying cipher aes-serpent-xts-plain64
# TCRYPT:  trying cipher aes-twofish-serpent-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-xts-plain64
# TCRYPT:  trying cipher aes-lrw-benbi
# TCRYPT:  trying cipher serpent-lrw-benbi
# TCRYPT:  trying cipher twofish-lrw-benbi
# TCRYPT:  trying cipher twofish-aes-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-aes-lrw-benbi
# TCRYPT:  trying cipher aes-serpent-lrw-benbi
# TCRYPT:  trying cipher aes-twofish-serpent-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-lrw-benbi
# TCRYPT:  trying cipher aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-cbc-tcrypt
# TCRYPT:  trying cipher twofish-cbc-tcrypt
# TCRYPT:  trying cipher twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher aes-serpent-cbci-tcrypt
# TCRYPT:  trying cipher aes-twofish-serpent-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-cbci-tcrypt
# TCRYPT:  trying cipher cast5-cbc-tcrypt
# TCRYPT:  trying cipher des3_ede-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-blowfish_le-aes-cbc-tcrypt
# TCRYPT: trying KDF: pbkdf2-sha1-2000.
# TCRYPT:  trying cipher aes-xts-plain64
# TCRYPT:  trying cipher serpent-xts-plain64
# TCRYPT:  trying cipher twofish-xts-plain64
# TCRYPT:  trying cipher twofish-aes-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-aes-xts-plain64
# TCRYPT:  trying cipher aes-serpent-xts-plain64
# TCRYPT:  trying cipher aes-twofish-serpent-xts-plain64
# TCRYPT:  trying cipher serpent-twofish-xts-plain64
# TCRYPT:  trying cipher aes-lrw-benbi
# TCRYPT:  trying cipher serpent-lrw-benbi
# TCRYPT:  trying cipher twofish-lrw-benbi
# TCRYPT:  trying cipher twofish-aes-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-aes-lrw-benbi
# TCRYPT:  trying cipher aes-serpent-lrw-benbi
# TCRYPT:  trying cipher aes-twofish-serpent-lrw-benbi
# TCRYPT:  trying cipher serpent-twofish-lrw-benbi
# TCRYPT:  trying cipher aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-cbc-tcrypt
# TCRYPT:  trying cipher twofish-cbc-tcrypt
# TCRYPT:  trying cipher twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-aes-cbci-tcrypt
# TCRYPT:  trying cipher aes-serpent-cbci-tcrypt
# TCRYPT:  trying cipher aes-twofish-serpent-cbci-tcrypt
# TCRYPT:  trying cipher serpent-twofish-cbci-tcrypt
# TCRYPT:  trying cipher cast5-cbc-tcrypt
# TCRYPT:  trying cipher des3_ede-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-cbc-tcrypt
# TCRYPT:  trying cipher blowfish_le-aes-cbc-tcrypt
# TCRYPT:  trying cipher serpent-blowfish_le-aes-cbc-tcrypt
No device header detected with this passphrase.
# Releasing crypt device /dev/sdb1 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code 1: No device header detected with this passphrase.

Adding the --tcrypt-system option to the above command also fails (obviously 
because i passed the partition and not the device (/dev/sdb1 instead of 
/dev/sdb)):

cryptsetup open --tcrypt-system --type tcrypt /dev/sdb1 tcrypt1 --debug
# cryptsetup 1.6.2 processing "cryptsetup open --tcrypt-system --type tcrypt 
/dev/sdb1 tcrypt1 --debug"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device /dev/sdb1 context.
# Trying to open and read device /dev/sdb1.
# Initialising device-mapper backend library.
# Interactive passphrase entry requested.
Enter passphrase: 
# Trying to load TCRYPT crypt type from device /dev/sdb1.
# Crypto backend (gcrypt 1.5.3) initialized.
# Reading TCRYPT header of size 512 bytes from device /dev/sdb1.

<cipher trying removed>

WARNING: device /dev/sdb1 is a partition, for TCRYPT system encryption you 
usually need to use whole block device path.
No device header detected with this passphrase.
# Releasing crypt device /dev/sdb1 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code 1: No device header detected with this passphrase.

Now, if I correct the command as it should be (/dev/sdb with --tcrypt-system):

cryptsetup open --tcrypt-system --type tcrypt /dev/sdb tcrypt1 --debug

<shortened>
Command successful.

This results with a device /dev/sdb being mapped as /dev/mapper/tcrypt1.
And now we come to my problem. How do I now mount individual tcrypt partitions?
No partitions are mapped, there's only /dev/mapper/tcrypt1 
If I do:
mount /dev/mapper/tcrypt /mnt/c 

the command is successful, but only first encrypted partition is mountd (namely 
/dev/sdb1 or c: in windows-speak). 

Doing partprobe -s /dev/mapper/tcrypt1 returns nothing.

Am I missing something obvious? 

I will be more than happy to help test this in any way I can. 
And once again, thanks for the good work!

Original issue reported on code.google.com by fulldi...@gmail.com on 27 Nov 2013 at 9:21

GoogleCodeExporter commented 9 years ago 
ok, it seems like mode which I did not considered (with system encryption only 
one drive is supported currently - others must be encrypted separately).

How exactly did you encrypted the system in truecrypt? (I will need to 
reproduce this configuration to fix it).

Thanks for report!

Original comment by gmazyl...@gmail.com on 28 Nov 2013 at 12:25

GoogleCodeExporter commented 9 years ago 
After the system was installed and configured (drive partitioned to 3 
partitions and windows 7 installed on the first one) i used truecrypt to 
encrypt the system drive along with other partitions. When you initiate the 
system encryption in windows, truecrypt asks if you want to only encrypt the 
system partition or the whole drive. I choose the latter option.

Original comment by fulldi...@gmail.com on 28 Nov 2013 at 1:48

GoogleCodeExporter commented 9 years ago 
Thanks. Some modifications will be needed here because for system encryption we 
now require full device parameter (not partitions). Seems this was a mistake. 
Will think how to do it better for this configuration....

Original comment by gmazyl...@gmail.com on 28 Nov 2013 at 2:45

GoogleCodeExporter commented 9 years ago 
There are other issues with this design, that need to be considered as well...

In the above scenario, the original poster encrypted multiple partitions on a 
disk using what TrueCrypt calls the "WDE" feature, and Linux is running from a 
different disk.

One could also have a single disk setup where one partition is encrypted with 
TrueCrypt system encryption and Linux is installed on another partition on the 
same disk. In this case, the tcryptOpen fails as well, with the following error:

"Cannot use device /dev/sda which is in use (already mapped or mounted)."

The mapping fails if any of the partitions /dev/sda* are already mounted, such 
as in this case.

In my opinion, the most appropriate design would be:
- accept the exact partition specifier in the open command (/dev/sdaX)
- in case --tcrypt-system option is specified, read the volume header from LBA 
62 on that disk, instead of the first sector of the partition
- decrypt the header and ensure that the requested partition is covered by the 
master key scope
- map /dev/sdaX as requested by the user 

Cheers!

Original comment by y...@indiatimes.com on 2 Dec 2013 at 10:23

GoogleCodeExporter commented 9 years ago 
Should be fixed by commit
http://code.google.com/p/cryptsetup/source/detail?r=c57071a43a0d43d08faed85faaaf
39ad04e68797

which allows to use partition as a parameter with system encryption.

Please test git version if you can, thanks.

BTW "Cannot use device /dev/sda which is in use (already mapped or mounted)." 
if other partition is in use was fixed already in previous versions.

Original comment by gmazyl...@gmail.com on 7 Dec 2013 at 11:09

GoogleCodeExporter commented 9 years ago

Original comment by gmazyl...@gmail.com on 7 Dec 2013 at 11:10

GoogleCodeExporter commented 9 years ago 
Both scenarios verified successfully with git snapshot taken on 12/09/2013.
Details are documented under issue 188.

Thanks!

Original comment by y...@indiatimes.com on 10 Dec 2013 at 7:17

GoogleCodeExporter commented 9 years ago 
This just landed in fedora 20  , everything works as expected! 
Thanks a bunch!

Original comment by fulldi...@gmail.com on 23 Dec 2013 at 9:05