commit 8f0b2943ce69c8960740564bff08cb3cea6d5f5e
parent a08cb6e0def4361ea97350d5f5b16e2f3b8bc089
Author: Jaromil <jaromil@dyne.org>
Date: Sat, 9 Jan 2016 10:16:42 +0100
documentation improvements for kdf and dm-crypt cipher choice
Diffstat:
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/doc/tomb.1 b/doc/tomb.1
@@ -57,6 +57,8 @@ knowing its password. As in any other command requiring a key, the
option \fI-k\fR should be used to specify a key file. The \fI-o\fR
option can be used to specify the cipher specification: default is
"aes-xts-plain64:sha256", old versions of Tomb used "aes-cbc-essiv:sha256".
+If you are looking for something exotic, also try "serpent-xts-plain64".
+More options may be found in cryptsetup(8) and Linux documentation.
This operation requires root privileges to loopback mount, format the tomb (using
LUKS and Ext4), then set the key in its first LUKS slot.
@@ -135,7 +137,7 @@ key and the second and last argument the tomb file.
Increase the size of a tomb file to the amount specified by the
\fI-s\fR option, which is the new size in megabytes (MiB). Full access to the tomb using
a key (\fI-k\fR) and its password is required. Tombs can only grow and
-can never be made smaller. This command makes use of the cryptsetup
+can never be made smaller. This command makes use of the cryptsetup(8)
resize feature and the resize2fs command: its much more practical than
creating a new tomb and moving everything into it.
diff --git a/tomb b/tomb
@@ -969,6 +969,7 @@ get_lukskey() {
kdf_salt="${firstline[(ws:_:)3]}"
kdf_ic="${firstline[(ws:_:)4]}"
kdf_len="${firstline[(ws:_:)5]}"
+ _message "Unlocking KDF key protection ($kdf_hash)"
_verbose "KDF salt: $kdf_salt"
_verbose "KDF ic: $kdf_ic"
_verbose "KDF len: $kdf_len"
@@ -1147,7 +1148,9 @@ gen_key() {
if [[ "$itertime" != <-> ]]; then
unset tombpass
unset tombpasstmp
- _failure "Wrong argument for --kdf: must be an integer number (iteration seconds)."
+ _error "Wrong argument for --kdf: must be an integer number (iteration seconds)."
+ _error "Depending on the speed of machines using this tomb, use 1 to 10, or more"
+ return 1
fi
# --kdf takes one parameter: iter time (on present machine) in seconds
local -i microseconds
@@ -1441,7 +1444,7 @@ forge_key() {
[[ -z "$destkey" ]] && {
_failure "A filename needs to be specified using -k to forge a new key." }
- _message "Commanded to forge key ::1 key::" $destkey
+# _message "Commanded to forge key ::1 key::" $destkey
_check_swap # Ensure the available memory is safe to use
@@ -1468,12 +1471,16 @@ forge_key() {
_message "Commanded to forge key ::1 key:: with cipher algorithm ::2 algorithm::" \
$destkey $algo
+ [[ $KDF == 1 ]] && {
+ _message "Using KDF to protect the key password (`option_value --kdf` rounds)"
+ }
+
TOMBKEYFILE="$destkey" # Set global variable
- _message "This operation takes time, keep using this computer on other tasks,"
- _message "once done you will be asked to choose a password for your tomb."
- _message "To make it faster you can move the mouse around."
- _message "If you are on a server, you can use an Entropy Generation Daemon."
+ _warning "This operation takes time, keep using this computer on other tasks,"
+ _warning "once done you will be asked to choose a password for your tomb."
+ _warning "To make it faster you can move the mouse around."
+ _warning "If you are on a server, you can use an Entropy Generation Daemon."
# Use /dev/random as the entropy source, unless --use-urandom is specified
local random_source=/dev/random