[dm-crypt] Cascading two plain dm-crypt volumes

Claudio Moretti flyingstar16 at gmail.com
Fri Nov 29 01:08:25 CET 2013


Forgot to hit "reply to all". Forwarding to the list.
---------- Messaggio inoltrato ----------
Da: flyingstar16 at gmail.com
Data: 29/nov/2013 00:06
Oggetto: Re: [dm-crypt] Cascading two plain dm-crypt volumes
A: anderson jackson <thewizard at mighty.co.za>
Cc:


Il 28/nov/2013 23:32 "anderson jackson" <thewizard at mighty.co.za> ha scritto:
>
> Hello,
>
> I have a small question regarding luks and plain dm-crypt, and I am unsure
> what to use.
>
> I feel that the advantages provided by Luks obviously offers extra
security
> compared to plain, however I feel uneasy about the obviousness of the fact
> that the drive is encrypted. Mainly because a disk with just random data
could
> have been wiped instead of encrypted. I would like the extra security
provided
> by luks without it being obvious that the disk is encrypted. To combat
this I
> was thinking about doing a cascade of two identical ciphers in plain mode

I may be mistaken, but (a) if you're using plain mode, there is no
indication that the disk is encrypted; from the FAQ

"Plain format is just that: It has no metadata on disk, reads all
parameters from the commandline (or the defaults), derives a master-key
from the passphrase and then uses that to de-/encrypt the sectors of the
device, with a direct 1:1 mapping between encrypted and decrypted sectors."

And if you're worried about the fact that if a hacker gets you password
right he will be able to decrypt your disk, there is no guarantee that it
can happen twice. True, the probability get extremely reduced, but AFAIK
current estimates say that to crack AES128 you need 30 years of continuous
computing, so...

If instead you meant two cascaded luks partition, you still need the luks
identifier in the "inner" partition so an attacker would know when your
partition is open because the luks header of the partition will be in
plaintext.

All of this is to the best of my actual knowledge, if I got something
wrong, please correct me.

Cheers,

Claudio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20131129/8f7fa0a5/attachment-0001.html>


More information about the dm-crypt mailing list