[dm-crypt] Authenticated Encryption for dm-crypt

Milan Broz gmazyland at gmail.com
Tue May 21 19:22:59 CEST 2013


On 21.5.2013 15:58, Ralf Ramsauer wrote:
> Arno, your objections are legitimate.Though I think that authenticity
> would be a nice feature to dm-crypt.
> And i also think, that it *could* be realisable.

... And you are not the first thinking about this :-)

We even talked about using GCM mode (around 2011) but unfortunately
student interested in some proof-of-concept implementation for dmcrypt
abandoned this project.
(Maybe time for another try...)

Whatever, there are at least three basic concepts:

- one said, this should be done on higher level (where you know
which sectors contains real data - e.g. btrfs)

- second, which prefers separation of integrity and encryption
(see e.g. dm-integrity patches on dm-devel or dm-verity for read-only)
(You can stack integrity above dmcrypt.)

- and the third, using auth mode directly in dm-crypt
Here I would prefer to have some "standardised" on-disk layout for auth
tag. There are several approaches. (Some would work
better with non-rotational media, some are more problematic.)

(If you don't mind losing half of the disk space, you can internaly
use 1+1 sector (wasting second sector just for auth tag) and play
with disk limits/topology and sector size. This would work nicely even
for rotational media.

(Storing more tags in one sector is just slightly more complicated,
but it adds more risk for data corruption if write fails during
powerfail or so.)

I am not sure how much useful is using authenticated encyption
for real applications, but as my former colleague would say - please
send a patch :-)

Milan


More information about the dm-crypt mailing list