[dm-crypt] blkid and aes-cbc-plain/aes-cbc-essiv:sha256

Arno Wagner arno at wagner.name
Tue Mar 13 19:34:19 CET 2012


On Tue, Mar 13, 2012 at 12:14:47PM -0400, .. ink .. wrote:
> > That said, I agree that guessing is not the right approach.
> > What if, for example, there is an old first block
> > lying around, but the new crypto-container is at an offset?
> > In that case not even the cipher or the key might be the same!
> >
> > Arno
> >
> >
> ok, that makes sense but this raises a fundamental problem with plain
> volumes, a problem that must have had a solution since the type was in use
> when luks wasnt around.My problem was a specific problem from a general
> problem.


Simple: Put the right stuff into /etc/fstab and maybe /etc/crypttab
and/or mount manually. Not everything needs to be automated.

 
> Lets say somebody uses cryptsetup tool directly to create a plain mapper
> with options they think are appropriate for the volume, how will this
> person know they have used the right options? say the right mode or  did
> not mistype a character in the passphrase?


Simple again: They created the volume, and if they did it with
non-default values, then if mounting fails they have to make
sure passphrase _and_ all other parameters are correct. In 
practice, you use the defaults unless you have a good reason 
not to. If you use something else, you will make sure that 
you remember, e.g. by encapsulating it in a script or writing
it down. Only the passphrase must be kept secret.


> If it is known that the volume has a file system, then looking for file
> system signature is the most logical thing to do(this is the approach i
> took with available tools). If they cant find the signature then they can
> assume one or more of the options is wrong. If they find it then they can
> assume the options are correct. If this way is wrong, then what is the
> right way?


There is no right way. The user is the only one that knows what
is in there. 


> what is the recommended way and what tools are to be used to check if a
> created plain mapper is created with proper options?


Remembering how it was created. There is no other "correct" way.


> How did distros back in the day when luks wasnt around and when they were
> using plain volumes checked to make sure a user created the plain mapper
> with a proper a passphrase?


In those days, distros generally did not help the user with encrypted
volumes. The best available was that the user had to write their
own mapping scripts or maybe cpuld manually make an entry in something
like /etc/crypttab. There certainly was no automatization and there
usually is none today. Or if you look at a recent Ubuntu bug, there
are some attempts at automaization that do more harm than good.

On a meta-layer, what you want to do is take the competent 
system administrator that knows what he/she is doing and how
they configured their system out of the loop. That is a very 
Windows or Mac thing to do, but not a very Unix one. Unix gives
you the tools and lets you decide how you want to use them.
That approach is not very compatible with automating things in 
a default way.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 


More information about the dm-crypt mailing list