[dm-crypt] few questions on truecrypt and luks
arno at wagner.name
Sun Apr 14 22:23:54 CEST 2013
On Sun, Apr 14, 2013 at 08:48:46PM +0200, Milan Broz wrote:
> On 14.4.2013 18:50, Arno Wagner wrote:
> > It should also be said that TrueCrypt format is an "alien"
> > option, in my view primarily for secure data-sharing with
> > Windows. (Milan: If the strategic intention is different,
> > please correct me.) As such, a full comparison or representation
> > as primary format option is probably not a good idea.
> I would just use "external on-disk format" intead of "alien"
> but this was the plan - easily share data with Windows.
"alien: in the spirit of the Debian "alien" package.
> >> 1. truecrypt volume header is hidden while luks volume header is open.
> > Not really. The TrueCrypt headers per default are open.
> > Only if you use the "hidden Volume" option are they hidden
> > and they are not hidden very well, as _that_ seems to be
> > infeasible.
> Hm, maybe you have two different definition of "open".
> Truecrypt header should not be detectable without password
> knowledge, it starts with 64 bytes random salt and rest is always
> encrypted with key derived from password + optionally keyfiles.
> All headers are in this format, primary, hidden and even backup header.
> They are located just on different positions on disk.
> So if "open" means easily detectable, truecrypt header is not
> easily detectable. (That's why code need to test all combinations
> of ciphers to say that password is wrong...)
Well, not "open plain directly visible" like the LUKS header.
More like pretty clear that something encrypted is in there
if somebody competent checks. And there will be the TrueCrypt
software on the sytem disk with most users, possibly even with
the partition to mount still remembered. But I agree, calling
this "open" is not fair. But I would not say it really qualifies
as "hidden" either. Maybe "opaque".
> >> since truecrypt also uses a header,assuming the same use cases and with the
> >> same number of users,will truecrypt volume's header be corrupted at the
> >> same rate luks headers will?
> > Well, plain TrueCrypt volumes seem to include header backups (whith
> > all the security problems that brings), but not for system encryption.
> Truecrypt system encryption force you to burn recovery disk
> which is able to fix boot loader and header problems.
Hmm. I don't remember that, but if so I must have one of
these lying around here somewhere ;-)
> And it warns you that storing iso image on encrypted disk itself is
> not good idea. Twice.
> When I tested my code, I reencrypted windows installation and
> ignored this advice...
> Then I decided to resize encrypted system with some advanced
> partiton tool...
Where have I heard that story before.... Hmm...
> (If your guess is that tool completely destroyed truecrypt header,
> you are right :-)
> In fact, this was proof that cryptsetup works here - because I lost
> access to recovery disk but I did know passphrase, I was able to open
> the device with cryptsetup and backup header located in old position,
> read and burn recovery image and fix the whole disk.
> Lessons learned :)
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult. --Tony Hoare
More information about the dm-crypt