[dm-crypt] Few questions from a new user

.. ink .. mhogomchungu at gmail.com
Fri Jan 10 16:33:56 CET 2014


> If you look at the header specification linked here:
>   http://code.google.com/p/cryptsetup/wiki/Specification
>
> in Figure 1 you find the cipher and mode for the actual disk
> encryption, and the "hash-spec" which is the hash-function
> used by PBKDF2.
>
> Sorry, I was confused yesterday, you can change the hash.
> (I had just though about PBKDF2 which you cannot easily
> change to, say, scrypt...)
>
>
Thanks for the clarification,your comment seemed to be in contradiction
with what i was understanding from reading the spec and i even peeked at
cryptsetup source code to make a sense of your comment before giving up
because i was spending too much time on something that will amount to
nothing.



> So changing the hash does not do anything, really as the
> attacker can only try to brute-force the passphrase and
> that takes the same effort for SHA-1 and for SHA-512.
>
>
cryptsetup 1.6.0 changed default cipher mode from cbc to xts not because
cbc had practical issues but because xts was becoming a
standard[1].Sometimes it makes sense to be where everybody else is if being
anywhere is just as good as being anywhere else.If it makes not practical
difference btw SHA1 and SHA2,then moving away from SHA1 seem like a good
idea with the reason being having one less thing to explain in the FAQ.

[1] http://comments.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/6409
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20140110/ce3837d8/attachment.html>


More information about the dm-crypt mailing list