[pkg-cryptsetup-devel] Bug#518266: cryptsetup: determining available hashes/ciphers/keysize

Jonas Meurer jonas at freesources.org
Fri Jul 31 00:23:33 UTC 2009


hey,

On 14/06/2009 Sebastian Andrzej Siewior wrote:
> >The cryptsetup(8) man page mentions the default hash, cipher, and keysize 
> >values for different cases, but I am looking for a way to determine what 
> >values are available. Looking at the source it seems to determine this from 
> >/proc/crypto (so I guess depends on what kernel modules are loaded?).
> To some degree yes. If you don't use any crypto support then usually no
> modules are loaded and /proc/crypto is emtpy. Once you start lets say
> luksFormat with aes-xts as the algorithm, both (aes & xts) are loaded by
> the kernel (if available of course).

in fact /proc/crypto is the only useful source for available
combinations of crypto ciphers, modes, keysizes and hashtypes.

> >Could cryptsetup have an option to print available options? Maybe if you 
> >invoked a flag with "list" like
> >
> >  cryptsetup --cipher list
> >
> >it could list available options?
> This could be possible but would require to probe all variants / load
> all modules.

it is not an option at all to try all available crypto modules in order
to list possible combinations. there is not even a way to compile a list
of possibly available kernel modules. third-party crypto modules do exist,
and new ones are added with any major kernel release.

> >Also I think only certain combinations are supported, it would be nice if 
> >somehow it could list those too.
> There are almost no exceptions I thing however some are not clever like
> aes-ecb :)
> I thing the best way to go is to make a static list (part of the docs).

even that one is not an option as this list would have to be updated
with every kernel release.

i added a paragraph to the cryptsetup manpage that mentions /proc/crypto.
next upload of cryptsetup will close this bugreport.

here's the paragraph I added:


---
NOTES ON SUPPORTED CIPHERS, MODES, HASHS AND KEY SIZES

The supported combinations of ciphers, modes, hashs and key sizes
depends on the available kernel modules. See /proc/crypto for a list of
available options. You might need to load additional kernel crypto
modules in order to support more combinations.
---

please send patches if you have ideas how to improve the documentation.

greetings,
 jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20090731/72eacd2d/attachment.pgp>


More information about the pkg-cryptsetup-devel mailing list