[dm-crypt] yet another "lost my partition" message

Cristian KLEIN cristiklein at gmail.com
Fri Apr 15 16:21:29 CEST 2011


On 15/04/2011 16:15, Roscoe wrote:
> On Fri, Apr 15, 2011 at 11:52 PM, Cristian KLEIN <cristiklein at gmail.com> wrote:
> ...
>> A posteriori, I cannot help wonder why such pretious information isn't
>> kept redundantly. Surely LUKS could have stored the header in 10 random
>> sectors with an easy-to-grep "HERE I AM" banner. Wouldn't this allow
>> users to recover the master-key (and part of the file-system) without
>> compromising security?
> ...
> 
> It's supposed to be fragile and easily destroyed, this is by design.

I think users expect it to be *secure*, i.e., if a laptop gets stolen in
an airport, the user has no worries. I'm not sure users appreciate
"fragile". Personally, this is not what I expect from full-disk encryption.

> Accidently running cryptsetup luksFormat is unfortunate, as is running
> mkfs or dd on the wrong device. Good thing for backups.

Still, mkfs and dd give you a second chance (see testdisk and friends).
Why not luksFormat?

Cristi.


More information about the dm-crypt mailing list