[dm-crypt] Detached headers, multiple drives and UUIDs

Michael Kjörling michael at kjorling.se
Tue Apr 11 09:38:08 CEST 2017


On 10 Apr 2017 22:53 +0200, from 7heo at mail.com (7heo):
> My question regarding this was to know whether it was possible to
> automatically generate temporary derivated headers from a "main
> header" (as source). Whether in RAM or as files in a ramdisk (or
> else). That way there is no necessity to manually manage a bunch of
> redundant information.

At this point, I have to ask: Is there any particular reason why you
are trying to make this work with LUKS? It almost sounds like you want
encrypted storage, but you don't really want what LUKS headers add,
and you don't seem to want anything on-disk that is recognizable as
being LUKS.

Specifically, why not just use plain dm-crypt devices?

Then the device itself is guaranteed to not ever contain any
recognizable metadata (you can't even _make_ it contain recognizable
metadata), and you can store that metadata (mainly the cipher settings
and passphrase for master key derivation or the master key itself)
however you prefer.

You can even have a small LUKS container that holds files with
high-grade random data that are used as keys for the dm-crypt devices,
one per encrypted device. That would have the added benefit (or
drawback, depending on your threat model) of allowing a single unlock
operation to enable access to all encrypted devices.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


More information about the dm-crypt mailing list