[dm-crypt] Cascading two plain dm-crypt volumes

Arno Wagner arno at wagner.name
Fri Nov 29 01:32:51 CET 2013

On Fri, Nov 29, 2013 at 01:08:25 CET, Claudio Moretti wrote:
> Forgot to hit "reply to all". Forwarding to the list.
> ---------- Messaggio inoltrato ----------
> Da: flyingstar16 at gmail.com
> Data: 29/nov/2013 00:06
> Oggetto: Re: [dm-crypt] Cascading two plain dm-crypt volumes
> A: anderson jackson <thewizard at mighty.co.za>
> Cc:
> Il 28/nov/2013 23:32 "anderson jackson" <thewizard at mighty.co.za> ha scritto:
> >
> > Hello,
> >
> > I have a small question regarding luks and plain dm-crypt, and I am unsure
> > what to use.
> >
> > I feel that the advantages provided by Luks obviously offers extra
> security
> > compared to plain, however I feel uneasy about the obviousness of the fact
> > that the drive is encrypted. Mainly because a disk with just random data
> could
> > have been wiped instead of encrypted. I would like the extra security
> provided
> > by luks without it being obvious that the disk is encrypted. To combat
> this I
> > was thinking about doing a cascade of two identical ciphers in plain mode
> I may be mistaken, but (a) if you're using plain mode, there is no
> indication that the disk is encrypted; from the FAQ
> "Plain format is just that: It has no metadata on disk, reads all
> parameters from the commandline (or the defaults), derives a master-key
> from the passphrase and then uses that to de-/encrypt the sectors of the
> device, with a direct 1:1 mapping between encrypted and decrypted sectors."

Correct, but incomplete. There is also no indication that the disk
is _not_ encrypted. Remember than often, if there is initial 
suspicion, you will have to prove your innocence.
> And if you're worried about the fact that if a hacker gets you password
> right he will be able to decrypt your disk, there is no guarantee that it
> can happen twice.  True, the probability get extremely reduced, but AFAIK
> current estimates say that to crack AES128 you need 30 years of continuous
> computing, so...

Depends entirely on passphrase quality, see FAQ Item 5.1.
If an attacker guesses that there will be some non-random
data at the start (the LUKS header), breaking both encryptions 
is just as hard as breaking the LUKS one, if bothe pass-hrases
are of similar quality. The plain mapping will be about 
100'000 times easier, as it does not iterate the hash.

> If instead you meant two cascaded luks partition, you still need the luks
> identifier in the "inner" partition so an attacker would know when your
> partition is open because the luks header of the partition will be in
> plaintext.

If I understood this right, it is plain(luks(data))
> All of this is to the best of my actual knowledge, if I got something
> wrong, please correct me.

See above.

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

More information about the dm-crypt mailing list