[dm-crypt] The future of disk encryption with LUKS2

Arno Wagner arno at wagner.name
Fri Feb 5 16:24:40 CET 2016

On Fri, Feb 05, 2016 at 16:01:14 CET, Yves-Alexis Perez wrote:
> On ven., 2016-02-05 at 14:31 +0100, Arno Wagner wrote:
> > No. You are trying to solve the wrong problem. First, disk 
> > encryption with 1:1 mapping will never give you integrity 
> > protection and the other variants kill performance.
> I perfectly understand that, thank you. Again, I'm *well aware* of the need to
> store integrity patterns somewhere. I'm *not* asking for 1:1 mapping.
> Can I sincerely ask that you not consider at first (and second, and third)
> that I didn't think first about what I was asking on the list?

Then why are you asking about integrity protection on a list
dedicated to a block-layer encryption system? That does not make
any sense. If you state things that do not make sense then I
will point that out, because there is a real possibility that
your reasoning process (I am not implying there was none) was 

> > And second, who says anything abot the "evil maid" changing
> > things in the encrypted container?
> I'm not following you here.

Attacks on hardware, replacement of the disk with something that
attacks the boot process, Firewire, USB, etc. vulnerabilities, 
changes in non-encrypted areas, etc. 

> > 
> > Seriosuly, what you want you do not do with disk encryption, 
> > but with PGP/GnuPG on file-level.
> Because encrypting whole disk with GnuPG doesn't really scale, for
> example?  I have to admit I'm a bit puzzled by the question on this list,
> to be honest.

Use eCryptFS for a scalable implementation of that idea.
In fact, eCryptFS uses a file-format derived from PGP, 
and that is no accident.

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

More information about the dm-crypt mailing list