[dm-crypt] Some questions about cryptsetup 1.6.x

Arno Wagner arno at wagner.name
Wed Feb 12 16:59:58 CET 2014

On Wed, Feb 12, 2014 at 15:30:10 CET, Thomas Bächler wrote:
> Am 12.02.2014 15:19, schrieb Arno Wagner:
> > -h is the hash that the plain-text password is put through
> > to turn it into a binary value of certain defined length.
> > -c specifies the hash that goes into pbkdf2 for the hash
> > iteration.
> Are you sure?

Not really, no. I was focussing on the "RAM" cell attenuation 

> I was under the impression that '-c' only affects the cipher parameter
> passed to dm-crypt - a hash would then be relevant for cipher modes like
> cbc-essiv, but xts-plain64 would ignore it. Thus, cryptsetup has default
> like 'aes-cbc-essiv:sha256', since essiv needs a hash, and
> aes-xts-plain64, since xts does not need a hash.
> According to the manpage, -h is what is used in PBKDF2 in luksFormat
> mode, or to hash the passphrase in plain mode.
> To me, this makes much more sense than what you said.

Come to think of it, to me too. It is really irrelevant though,
there is no need to change these hashes to improve security.

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -  Plato

More information about the dm-crypt mailing list