[dm-crypt] please HELP - can't acces encrypted LVM after linux reinstallation.

Jonas Meurer jonas at freesources.org
Mon Oct 31 23:17:57 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 31.10.2011 08:18, schrieb Arno Wagner:
> In addition, any kind of automatic header backup breaks the LUKS
> security model and needs to come with a very clear warning if
> automatized (as in an installer). The problem is that old
> passphrases will be stored and will survive deletion in the active
> LUKS header. That is not good at all.

While I agree with you, that cryptsetup already does a lot to prevent
data (i.e. header) loss, I don't see a reason why (optional) header
backup at some random place on the device would be such a big security
problem.
For sure the exact place of backup header would be stored in the first
header, and any cryptsetup action which changes/whipes (parts of) the
header, would need to do this for the backup header as well.

Overwriting the first kbytes of device would no longer be sufficient.
Instead overwriting the header would require to actually overwrite
both first and backup header. But that's the only drawback I can see
so far.

I guess that I missed something important.

Greetings,
 jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOrx6UAAoJEFJi5/9JEEn+rIEQAILZUrOjqRp9mVh7njfux7Vb
6BUu2dHMyL+gLbszh8igR40UCxVh2UFfH1PSSU48wrd/IX8XYBy2YqMF0QQVyHPC
/dtExqdC31XZdA7eS8UrVGW3imkCB0XSnVkWPcV14SdyLO7ormMIMme3fi8TaJQk
7n0WJ6k3c613SV3BnDCut0940k/Q8NmCtKNqFyTU0ZKgfE6gYkf57n+DQgqOfFzi
3tftq4zpZgORxXU5aTGE9IFGM63T3ZpfJQTYOXt7Hez4EpnX6ly1QQO3JkknYHwr
51tXKsWceMVVY92NdUxQZ6WWUfKrLUdZNPy6TL/ZG7bviSj36OFcpQkYP4lxfrD+
hWVObY1R6kt73UcCZNRYSJYtl4q5BSxI61i0k/PecDjEfZmE6lZlIjKS2XNzh6O4
jsfd9JXZ9n/R7RCiG1BRdTET8MDxnM//Q5Iqes84ume8yuLInP4AP50/uxg1e3SL
UZ0+nlDofRd/cMtse92ggFbw8ZuHQtNV1TKU5dbFLXxaei1ymadT/fmdXSFHBlCQ
Qex1FrDxnBYMEtnZaR5Md5huVwQSb6+LvToSVjeZ53spq+JPp8HXFo0HCCEDwuPE
1j562nElqYfRkXPohGr2QkVvy2lze2tnJpk9ocPfy1gsokY/cyh6y01DWOz9JdA6
rAmoNpPLdd+E4taTu3ZM
=BQD4
-----END PGP SIGNATURE-----


More information about the dm-crypt mailing list