[dm-crypt] Managing wrapped key ciphers with cryptsetup

Sven Eschenberg sven at eschenberg.eu
Thu Apr 27 22:06:35 CEST 2017

Hi Hendrik,

The protability of the on disk format includes, that I can basicly 
reimplement cryptsetup from scratch, without relying on the current 
status quo. Moreover I even don't need to use kernel crypto stuff at all 
to i.e. create a decrypted image of the data.
Your HSM specific changes would be tied into cryptsetup, but if I 
followed the current specification, and had the corresponding HSM, I 
still would need the 'specifics' regarding the HSM and how to use it, to 
set up the actual mapping.

If you got some spare time:

If the new format comes to life and allows for plugins, then if I 
reimplemented cryptsetup and had no suiting plugin for a HSM or say a 
cryptocard or whatever, I can not setup the mapping. But I'd know that I 
am prone to fail, since I lack the plugin I am supposed to use.

Now, in contrast, if you hack the HSM supprt into cryptsetup, there's no 
on disk indication and that is not really portable anymore.



Am 27.04.2017 um 17:09 schrieb Hendrik Brueckner:
> Hi Milan,
>> LUKS1 is portable format, we cannot bind the format to specific hardware.
> We considered that point in the merge request.  It keeps LUKS1 as a
> portable format, there are no changes on the LUKS1 format or header.
> Of course, there are some differences when using wrapped keys, but these
> have been addressed without affecting the on-disk-format structure.
> Thanks and kind regards,
>    Hendrik

More information about the dm-crypt mailing list