You can't mount an HFS+ partition encrypted in OS X using mount
's option encryption=aes
. The reason is that encrypted HFS+ partitions and volumes use a proprietary format.
Neither Cryptoloop nor Loop-AES, which are the underlying decryption methods used by mount
and encryption
, understand that format.
This is what I found out:
Cryptoloop can mount partitions or disk images encrypted as a single AES block (this is called single-key mode, see http://www.tldp.org/HOWTO/html_single/Cryptoloop-HOWTO/#cryptoloop-introduction):
/dev/sdXX
disk image /dev/loopX
+-----------+ +-------------+
| | | |
| | | |
| | | unencrypted |
| AES block | -AES passwd->AES key->decrypt I/O to loop device-> | partition |
| | | |
| | | |
| | | |
+-----------+ +-------------+
AES-Loop can mount single-key (like above) and multi-key encrypted partitions or disk images:
/dev/sdXX
disk image /dev/loopX
+------------+ +-------------+
|AES block #1| | |
+------------+ | |
|AES block #2| | unencrypted |
+------------+ -AES passwd->AES key(s)->decrypt I/O to loop dev-> | partition |
|AES block #3| | |
+------------+ | |
| ... | | |
+------------+ +-------------+
On the other hand, an encrypted HFS+ partition:
Cryptoloop's successor, dm-crypt
, can't read encrypted HFS+ either.
But before all hope is gone:
As for the error messages you encountered:
First error:
Error: Password must be at least 20 characters.
Surprisingly, mount
enforces long passwords not only for encryption but also for decryption, although you may not have control over the partition to decrypt. You can only get around this nuisance by downloading and editing the source and recompiling. (Other distributions, like SuSE Linux Enterprise Server (SLES), don't have this restriction.)
Second error:
ioctl: LOOP_SET_STATUS: Invalid argument, requested cipher or key (256 bits) not supported by kernel
You need to load the Cryptoloop kernel module:
$ sudo modprobe cryptoloop
because although you installed package loop-aes-utils
you are not using Loop-AES.
Loop-AES uses several modified user space tools (mount
, umount
, losetup
, swapon
and swapoff
, provided by loop-aes-utils
) and a modified loop.ko
kernel module. Recent Ubuntu versions compile an unmodified loop
module into the kernel:
$ cd /usr/src/linux-source-3.2.0/linux-source-3.2.0/drivers/block/
$ diff -q /tmp/loop.c-3.x.patched loop.c
Files /tmp/loop.c-3.x.patched and loop.c differ
so Loop-AES can't be used on Ubuntu out of the box. You need to patch and recompile the kernel as explained here: http://loop-aes.sourceforge.net/loop-AES.README. That's why mount
still needs Cryptoloop.
If you still get a similar error message after loading cryptoloop.ko
the encryption type may be not recognized. For example, my Ubuntu 12.04 didn't recognize aes-128
, but aes
. SLES only recognizes aes-128
.
Not sure if this makes a difference, but have you tried
aes256
instead ofaes-256
? – Ansgar Wiechers – 2012-09-21T19:56:30.943yes - same result for both - even just using "aes" gives the same result – pagid – 2012-09-21T20:01:21.943