[dm-crypt] minimal LUKS container size

Arno Wagner arno at wagner.name
Fri Dec 16 10:19:00 CET 2011


On Fri, Dec 16, 2011 at 09:25:21AM +0100, Milan Broz wrote:
> On 12/16/2011 08:14 AM, Arno Wagner wrote:
> > To my surprise, giving alignment --align-payload=1 (or = 2) results 
> > in a data-area staring at 0x101000, while --align-payload=0 gives 
> > 2MiB offset. Is this rounded up to multiples of 8? I had a brief 
> > look into the sources but did not find the relevant code. 
> > The full behaviour should go into the man-page under the 
> > explanation for "--align-payload". 
> 
> Align 0 should switch to internal default (4k).

What about 1? Also 4k? And if I put in, say, 11?
 
> Man page needs rewrite and many grammar and wording fixes...
> Any volunteers? :-)
> 
> > Data area size can be 512 bytes (verified with loop-device), but
> > not 0 bytes, as this gives an ioctl-error on opening.
> 
> yes, I think there is also internal check now.

Possibly. I tested this with the older 1.3.1

> There is a problem with dmcrypt (kernel) -> userspace error reporting,
> some fails (like unsupported key size) are only in syslog,
> so cryptsetup have to guess to display proper error message,
> it need some device-mapper changes though.
>  
> > For cipher, the most extreme I found is RC4 with an 8 bit key.
> > This can be luksFormat-ed, but fails on opening. This is 
> > probably a bug when using arc4, as it fails for 128 bit as well.
> > (tested with 1.4.1). 
> 
> Repeat after me: arc4 is not a block cipher :-p

No need, I know that. But the formatting should fail, not 
only the opening. And in all fairness, a stream-cipher could
still be used for LUKS, just a bit differently and the
result would be insecure.
 
> Seriously, you are not the only one trying to do this,
> read this thread
> http://thread.gmane.org/gmane.linux.kernel.cryptoapi/3822/
> I am not sure if crypto API is changed now though (see Herbert's reply
> in that thread.)

So there is no way to tell except testing whether a cipher
is a stream or block cipher? Not good. Maybe a test should
be added, e.g. encrypting a block of test-data twice and
if the results are different refuse the format...

> > Blowfish with 64 bits works though, but is insecure, so added with
> > a warning. 
> 
> My strategy is to provide known "secure" defaults and do not block
> anything - there can be always use for some old containers.

Yes, and that is a good approach.

> If anyone feel need for anything else (you can even write your own
> kernel cryptoAPI module and use it without changes in dmcrypt),
> no problem - but it is user responsibility that the cipher and
> parameters are secure enough for his use case.

Hence the warning.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 


More information about the dm-crypt mailing list