[dm-crypt] plain: opening with a wrong password
for-gmane at mutluit.com
Thu Feb 5 15:04:39 CET 2015
U.Mutlu wrote, On 02/05/2015 02:53 PM:
> Arno Wagner wrote, On 02/05/2015 12:54 PM:
>> On Wed, Feb 04, 2015 at 14:30:17 CET, U.Mutlu wrote:
>>> Quentin Lefebvre wrote, On 02/04/2015 02:02 PM:
>>>> Le 04/02/2015 13:33, U.Mutlu a écrit :
>>>>> what happens if an encrypted filesystem (plain, no LUKS)
>>>>> next time is opened accidently with a wrong password,
>>>>> and new data written to it? Will the filesystem then become
>>>> What typically happens when you use a wrong password is that the
>>>> cryptsetup create/open command is indeed successful, but mounting your
>>>> partition will fail (because the filesystem is not detected). So you
>>>> have few chance to accidentally damage a filesystem, even in plain
>>> I tried this out now, and indeed that's cool!
>>> Thank you for this useful tip, it spares me to study further
>>> also the LUKS stuff, as plain is IMHO sufficient for my needs.
>>> The main drawback with plain seems to be that one cannot change
>>> the password, instead one needs to re-enrcrypt into a new file/device.
>> That, you have only one password, and you do not get some
>> additional protection for weak passwords from salting and
>> iteration. With a good, passphease plain is about as secure
>> as LUKS, namely not breakable. (See FAQ item 5.1 for details
>> of what "good" means.)
> Yes, and one better should create a password by using a password hasher like
> the following:
> $ echo mypassword | hashalot -x -s mysalt sha256
> and pass the result to the target (of course using something else for
> "mypassword" and "mysalt").
Oh, I forgot to mention: with such a strong password
"plain" is IMHO more secure than "luks" b/c plain offers
no attack vectors (ie. metadata headers).
More information about the dm-crypt