[dm-crypt] Some questions about cryptsetup 1.6.x

Milan Broz gmazyland at gmail.com
Wed Feb 12 17:10:40 CET 2014

On 02/12/2014 03:30 PM, Thomas Bächler wrote:
> Am 12.02.2014 15:19, schrieb Arno Wagner:
>> -h is the hash that the plain-text password is put through
>> to turn it into a binary value of certain defined length.
>> -c specifies the hash that goes into pbkdf2 for the hash
>> iteration.
> Are you sure?
> I was under the impression that '-c' only affects the cipher parameter
> passed to dm-crypt - a hash would then be relevant for cipher modes like
> cbc-essiv, but xts-plain64 would ignore it. Thus, cryptsetup has default
> like 'aes-cbc-essiv:sha256', since essiv needs a hash, and
> aes-xts-plain64, since xts does not need a hash.
> According to the manpage, -h is what is used in PBKDF2 in luksFormat
> mode, or to hash the passphrase in plain mode.

Yes, this is correct. The -h parameter is for LUKS header (PBKDF2 + AF splitter).
For plain mode it means algorithm to use when hashing password.

For -c it is cipher/mode for kernel dmcrypt (if there is a IV spec which requires
hash like ESSIV, then it contains hashspec as parameter).


More information about the dm-crypt mailing list