[dm-crypt] The future of disk encryption with LUKS2
arno at wagner.name
Fri Feb 5 16:24:40 CET 2016
On Fri, Feb 05, 2016 at 16:01:14 CET, Yves-Alexis Perez wrote:
> On ven., 2016-02-05 at 14:31 +0100, Arno Wagner wrote:
> > No. You are trying to solve the wrong problem. First, disk
> > encryption with 1:1 mapping will never give you integrity
> > protection and the other variants kill performance.
> I perfectly understand that, thank you. Again, I'm *well aware* of the need to
> store integrity patterns somewhere. I'm *not* asking for 1:1 mapping.
> Can I sincerely ask that you not consider at first (and second, and third)
> that I didn't think first about what I was asking on the list?
Then why are you asking about integrity protection on a list
dedicated to a block-layer encryption system? That does not make
any sense. If you state things that do not make sense then I
will point that out, because there is a real possibility that
your reasoning process (I am not implying there was none) was
> > And second, who says anything abot the "evil maid" changing
> > things in the encrypted container?
> I'm not following you here.
Attacks on hardware, replacement of the disk with something that
attacks the boot process, Firewire, USB, etc. vulnerabilities,
changes in non-encrypted areas, etc.
> > Seriosuly, what you want you do not do with disk encryption,
> > but with PGP/GnuPG on file-level.
> Because encrypting whole disk with GnuPG doesn't really scale, for
> example? I have to admit I'm a bit puzzled by the question on this list,
> to be honest.
Use eCryptFS for a scalable implementation of that idea.
In fact, eCryptFS uses a file-format derived from PGP,
and that is no accident.
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt