[dm-crypt] Cascading encryption how-to?

Claudio Moretti flyingstar16 at gmail.com
Wed Jan 22 00:56:23 CET 2014

(sorry, hit the wrong button)

It was proposed in a brainstorming session[1] in 2008, but AFAIK it's never
been implemented.

I also found this[2] in which Milan said it's possible by creating LUKS
over a LUKS device, but it's hell in terms of performance and you need to
open every single device by itself (e.g. for aes-serpent-twofish you'd have
to issue 3 separate luksOpen commands).

Since it creates performance issues, it might be best for you to create a
regular LUKS device for - say  your root filesystem and then, if you need
it and your OS supports it, you can try

a) using /etc/crypttab to "luksOpen" a part of that already encrypted
partition (I haven't tried, but it might be possible), or
b) use Truecrypt to unlock encrypted files you keep somewhere.



[2] http://comments.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/3020

On Tue, Jan 21, 2014 at 11:50 PM, Claudio Moretti <flyingstar16 at gmail.com>wrote:

> It was proposed in a brainstorming session[1]
> On Tue, Jan 21, 2014 at 8:59 PM, Falko <fb1729 at posteo.de> wrote:
>> Hey there,
>> I was wondering how I set up cascading encryption like in Truecrypt (e.g.
>> aes-twofish or even twofish-serpent-aes...). I tried this: cryptsetup -v
>> -c
>> serpent-twofish-xts-plain64 -s 512 -h sha512 --verify-passphrase -y
>> --use-random
>> luksFormat /dev/sdx which, of course, didn't work :o). I couldn't find
>> anything in
>> the man or internet either - only that it should be possible :o).
>> Thanks
>> Kind regards
>> fb
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt at saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20140121/b60d8133/attachment.html>

More information about the dm-crypt mailing list