[dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.
arno at wagner.name
Thu Apr 7 11:39:09 CEST 2016
In fact, as confidental data can be written to swap,
changing the key on boot is a security feature.
On Wed, Apr 06, 2016 at 22:26:09 CEST, Sven Eschenberg wrote:
> Yes David,
> You are right. And as long as you do not need persistant swap to
> i.e. store a hibernate image, it is absolutely reasonable to use a
> new random key on each boot.
> Am 06.04.2016 um 21:35 schrieb David Christensen:
> >On 04/06/2016 03:55 AM, Michael Kjörling wrote:
> >>On 5 Apr 2016 21:25 -0700, from dpchrist at holgerdanske.com (David
> >>># grep sda2 /etc/crypttab
> >>>sda2_crypt /dev/sda2 /dev/urandom
> >>Since you don't have the "luks" option, Debian does not treat this as
> >>a LUKS device. So when cryptsetup claims that /dev/sda2 "is not a
> >>valid LUKS device" it is quite correct.
> >Thanks for the information.
> >So, RTFM 'crypttab': at boot time /sbin/cryptdisks_start will create a
> >plain dm-crypt device with target name 'sda2_crypt'
> >(/dev/mapper/sda2_crypt) from source device /dev/sda2 with a 256-bit key
> >(option 'size') from file /dev/urandom and with cipher aes-xts-plain64
> >(option 'cipher'), and then run /sbin/mkswap on the created device
> >(option 'swap') (?).
> >And, as plain dm-crypt devices do not have a LUKS header,
> >'luksHeaderBackup' has nothing to back up and the error message I'm
> >seeing is expected and correct (?).
> >dm-crypt mailing list
> >dm-crypt at saout.de
> dm-crypt mailing list
> dm-crypt at saout.de
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt