[dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.

Arno Wagner arno at wagner.name
Thu Apr 7 11:39:09 CEST 2016


In fact, as confidental data can be written to swap,
changing the key on boot is a security feature.

Rergards,
Arno


On Wed, Apr 06, 2016 at 22:26:09 CEST, Sven Eschenberg wrote:
> Yes David,
> 
> You are right. And as long as you do not need persistant swap to
> i.e. store a hibernate image, it is absolutely reasonable to use a
> new random key on each boot.
> 
> Regards
> 
> -Sven
> 
> 
> Am 06.04.2016 um 21:35 schrieb David Christensen:
> >On 04/06/2016 03:55 AM, Michael Kjörling wrote:
> >>On 5 Apr 2016 21:25 -0700, from dpchrist at holgerdanske.com (David
> >>Christensen):
> >>># grep sda2 /etc/crypttab
> >>>sda2_crypt /dev/sda2                                 /dev/urandom
> >>>cipher=aes-xts-plain64,size=256,swap
> >>
> >>Since you don't have the "luks" option, Debian does not treat this as
> >>a LUKS device. So when cryptsetup claims that /dev/sda2 "is not a
> >>valid LUKS device" it is quite correct.
> >>
> >
> >Thanks for the information.
> >
> >
> >So, RTFM 'crypttab':  at boot time /sbin/cryptdisks_start will create a
> >plain dm-crypt device with target name 'sda2_crypt'
> >(/dev/mapper/sda2_crypt) from source device /dev/sda2 with a 256-bit key
> >(option 'size') from file /dev/urandom and with cipher aes-xts-plain64
> >(option 'cipher'), and then run /sbin/mkswap on the created device
> >(option 'swap') (?).
> >
> >
> >And, as plain dm-crypt devices do not have a LUKS header,
> >'luksHeaderBackup' has nothing to back up and the error message I'm
> >seeing is expected and correct (?).
> >
> >
> >David
> >
> >_______________________________________________
> >dm-crypt mailing list
> >dm-crypt at saout.de
> >http://www.saout.de/mailman/listinfo/dm-crypt
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list