[dm-crypt] Pass+keyfile

0x14 at unseen.is 0x14 at unseen.is
Tue Dec 2 01:15:45 CET 2014


Ok then. You know, firstly I wrote long answer for you, but I then I 
thought it would be counterproductive. So I try to make things simpler.

cryptsetup has a --header option, right? So, my first question - why? :) 
 From man: "This options allows one to store ciphertext and LUKS header 
on different devices." Why would anyone want header to be on different 
device? From FAQ, about differences between plain and LUKS mode: "it is 
not readily apparent that there even is encrypted data on the device, as 
an overwrite with crypto-grade randomness (e.g. from /dev/urandom) looks 
exactly the same on disk." (and yes, I read the side-note below). So, I 
thought --header is for those, who want their LUKS containers look like 
just random data, having one device with random data and a file, where 
it is written "I am a LUKS header". And I wanted to have one device with 
random data and a file with random data - I thought it would be more 
secure in some ways. So, the second thing I really want to know - where 
is the bad logic in my reasonings? :)

Thanks!


More information about the dm-crypt mailing list