[dm-crypt] few questions on truecrypt and luks
arno at wagner.name
Wed Apr 17 00:44:45 CEST 2013
On Tue, Apr 16, 2013 at 02:27:15PM -0400, .. ink .. wrote:
> > I am not criticizing TrueCrupt here, this seems to be
> > the best that can be done in the given situation, but
> > "the best" is not really good.
> Reading back through the mailing list and on the discussion on the feature
> request on the bug tracker,it seem you just dont like the idea of a hidden
> volume or the idea of having a volume inside another volume.
That is a gross simplification. And unfair. Also inaccurate.
While KISS applies, I have no objevtions to increasing complexity
if there are significant security benefits. They are _not_ there
with hidden volumes or embedded volumes, as I have explained.
Crypto is for access control, not for hiding things.
> Personally,i prefer PLAIN volumes over LUKS.An example of why is because
> when you plug in a LUKS based usb encrypted device to a gnome desktop,the
> desktop will give a prompt telling whoever is sitting at the desktop that
> the device is encrypted with LUKS and will demand a password to unlock it.I
> may not be hiding my stuff from government agencies,but i also do not like
> to scream at whoever touches my stuff telling them i have encrypted data.
Of cpuse, if you are protecting yourself againt incompetent people...
But this does neither require gidden volumes not embedded volumes.
Plain dm-crypt or plain TrueCrypt is quite enough.
> I dont use truecrypt volumes and i never used the hidden volume feature but
> i can see its appeal,
The appeal is there. But the danger is that people vastly over-estimate
the level of security it gives them.
> it may not be to hide super secret stuff from
> governments but simply to have two volumes in one container to
> "compartmentalize" sensitive data and not try to hide any of it from
> authorities but from say business competitors.
>From my observations, "Business competitors" actually are
kept out pretty reliably by open encryption. Just protect
your passphrase adequately. No, the issue at hand is whether
hidden volumes protect you in case somebody can coerce the
passphrase(s) out of you and that somebody does not really
need to prove conclusively that there is a hidden volume.
In those cases, http://xkcd.com/538/ still applies.
Sure, you may go the way of overkill and use hidden
volumes against your kid sister or brother, but that
does violate KISS and any discussion about encryption here
is worldwide visible and some people may actually have
to fight off capable attackers.
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult. --Tony Hoare
More information about the dm-crypt