[dm-crypt] few questions on truecrypt and luks

Milan Broz gmazyland at gmail.com
Sun Apr 14 20:48:46 CEST 2013


On 14.4.2013 18:50, Arno Wagner wrote:

> It should also be said that TrueCrypt format is an "alien" 
> option, in my view primarily for secure data-sharing with
> Windows. (Milan: If the strategic intention is different,
> please correct me.) As such, a full comparison or representation
> as primary format option is probably not a good idea.

I would just use "external on-disk format" intead of "alien"
but this was the plan - easily share data with Windows.

>> 1. truecrypt volume header is hidden while luks volume header is open.
> 
> Not really. The TrueCrypt headers per default are open.
> Only if you use the "hidden Volume" option are they hidden
> and they are not hidden very well, as _that_ seems to be 
> infeasible. 

Hm, maybe you have two different definition of "open".

Truecrypt header should not be detectable without password
knowledge, it starts with 64 bytes random salt and rest is always
encrypted with key derived from password + optionally keyfiles.

All headers are in this format, primary, hidden and even backup header.
They are located just on different positions on disk.

So if "open" means easily detectable, truecrypt header is not
easily detectable. (That's why code need to test all combinations
of ciphers to say that password is wrong...)

>> since truecrypt also uses a header,assuming the same use cases and with the
>> same number of users,will truecrypt volume's header be corrupted at the
>> same rate luks headers will?
> 
> Well, plain TrueCrypt volumes seem to include header backups (whith
> all the security problems that brings), but not for system encryption.

Truecrypt system encryption force you to burn recovery disk
which is able to fix boot loader and header problems.

And it warns you that storing iso image on encrypted disk itself is
not good idea. Twice.
When I tested my code, I reencrypted windows installation and
ignored this advice...
Then I decided to resize encrypted system with some advanced partiton tool...
(If your guess is that tool completely destroyed truecrypt header,
you are right :-)

In fact, this was proof that cryptsetup works here - because I lost
access to recovery disk but I did know passphrase, I was able to open
the device with cryptsetup and backup header located in old position,
read and burn recovery image and fix the whole disk.

Lessons learned :)

Milan


More information about the dm-crypt mailing list