[dm-crypt] Blog post on FDE and integrity protection

Arno Wagner arno at wagner.name
Wed Aug 31 23:29:40 CEST 2011


Commercial, for sure. It combines fragments from well-known
facts and marketing speech. And it has not understood the
problem, advertizing for SAN/cloud services, where storage is
not block-based but file-based. 

I should also note to anyone contemplating "solution" 3
that RAID1 does not read both devices on read access,
and inconsistencies will only show up if you or your
distro does RAID consistency checks. 

And of course the whole article does not apply to the
SAN/cloud setting in the first place, as the attack 
scenario is for an unmapped encrypted filesystem and 
an attacker getting write access to that, i.e. the
encrypted raw (block) view needs to be exported to 
the attacker. I do not see how that would be done in the
SAN/Cloud setting. These do their own filesystem
and block encryption must be done below the FS layer, 
there is no way around that.

Arno



On Wed, Aug 31, 2011 at 04:25:51PM +0200, Heinz Diehl wrote:
> On 31.08.2011, Yaron Sheffer wrote: 
> 
> [....]
> 
> In what way is this related to LUKS / dmcrypt?
> It's plain advertising, isn't it? Gaah!
> 
> 
> 
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 


More information about the dm-crypt mailing list