[dm-crypt] Some questions about cryptsetup 1.6.x

Thomas Bächler thomas at archlinux.org
Wed Feb 12 15:30:10 CET 2014

Am 12.02.2014 15:19, schrieb Arno Wagner:
> -h is the hash that the plain-text password is put through
> to turn it into a binary value of certain defined length.
> -c specifies the hash that goes into pbkdf2 for the hash
> iteration.

Are you sure?

I was under the impression that '-c' only affects the cipher parameter
passed to dm-crypt - a hash would then be relevant for cipher modes like
cbc-essiv, but xts-plain64 would ignore it. Thus, cryptsetup has default
like 'aes-cbc-essiv:sha256', since essiv needs a hash, and
aes-xts-plain64, since xts does not need a hash.

According to the manpage, -h is what is used in PBKDF2 in luksFormat
mode, or to hash the passphrase in plain mode.

To me, this makes much more sense than what you said.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20140212/31f09d2b/attachment.asc>

More information about the dm-crypt mailing list