[dm-crypt] few questions on truecrypt and luks

Arno Wagner arno at wagner.name
Sun Apr 14 18:50:58 CEST 2013


Hi,

first I should say that the FAQ is sadly out of date with regard
to anything TrueCrypt, as I wrote most of it well before 
TrueCryupt support was added. Feel free to point out anything
that needs adjustment, I will eventually find the time to do it ;-)

It should also be said that TrueCrypt format is an "alien" 
option, in my view primarily for secure data-sharing with
Windows. (Milan: If the strategic intention is different,
please correct me.) As such, a full comparison or representation
as primary format option is probably not a good idea.

On Sat, Apr 13, 2013 at 05:39:00PM -0400, .. ink .. wrote:
> section 2.2 of FAQ talks of differences btw plain and luks volumes.It would
> be nice if the FAQ would also talk of differences btw luks and truecrypt
> since cryptsetup now supports truecrypt volumes.
> 
> Two differences i can think of are:
> 1. truecrypt volume header is hidden while luks volume header is open.

Not really. The TrueCrypt headers per default are open.
Only if you use the "hidden Volume" option are they hidden
and they are not hidden very well, as _that_ seems to be 
infeasible. 

> 2. luks can use upto 8 keys while truecrypt only uses one.

No multiple keys in TrueCrupt? That is a serious limitation.

> 3. luks doesnt support hidden volumes.

Wel, yes. Not that they are helping. I know that forensics
people now routinely do entropy analysis of unused and
used disk space, so these volumes are not very hidden 
anymore. Not that they were before. Encryption is for
access control, not for hiding data. For that use
steganography.  

> Is there any other? cryptographically,plain volumes seem to be weaker
> compared to luks volumes.what about luks compared to truecrypt?

Plain is at the same strenght, but you need a good passphrase.
 
> since truecrypt also uses a header,assuming the same use cases and with the
> same number of users,will truecrypt volume's header be corrupted at the
> same rate luks headers will?

Well, plain TrueCrypt volumes seem to include header backups (whith
all the security problems that brings), but not for system encryption.

It should also be noted that so far all reported LUKS header and
keyslot corruptions were due to user error or in one case
distro-installer error (Ubuntu). As Linux treats you like a
responsible adult, the option to corrupt your headers is always
there. And with TrueCrypt system encryption, it seems about
as likely to happen ad with LUKS when using Linux. Windows makes
everything much harder, including damaging your encrypted volume.

> Also,cryptsetup 1.6.0 added supported for opening of truecrypt volumes but
> nothing is currently mentioned on adding support for creating of truecrypt
> volumes.Is the support planned at some point in the future?

I don't think so. See above. Seriously, if you want to create
a TrueCrypt volume under Linux, use the TrueCrypt tools, not
cryptsetup.

Now, if there is interest, I can add a "TrueCrypt" section to 
FAQ section 7, naybe even giving a brief discussion of the
differences to LUKS. 


Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare


More information about the dm-crypt mailing list