[dm-crypt] Managing wrapped key ciphers with cryptsetup
arno at wagner.name
Fri Apr 28 09:22:22 CEST 2017
I think hardware-specific stuff has no place in cryptsetup.
Get a kernel-driver and then create a wrapper that feeds
the key to cryptsetup, anything else is a bad design.
And if you want a system that is secure against root, then
do not use Linux. Seriously.
On Thu, Apr 27, 2017 at 22:06:35 CEST, Sven Eschenberg wrote:
> Hi Hendrik,
> The protability of the on disk format includes, that I can basicly
> reimplement cryptsetup from scratch, without relying on the current status
> quo. Moreover I even don't need to use kernel crypto stuff at all to i.e.
> create a decrypted image of the data.
> Your HSM specific changes would be tied into cryptsetup, but if I followed
> the current specification, and had the corresponding HSM, I still would need
> the 'specifics' regarding the HSM and how to use it, to set up the actual
> If you got some spare time:
> If the new format comes to life and allows for plugins, then if I
> reimplemented cryptsetup and had no suiting plugin for a HSM or say a
> cryptocard or whatever, I can not setup the mapping. But I'd know that I am
> prone to fail, since I lack the plugin I am supposed to use.
> Now, in contrast, if you hack the HSM supprt into cryptsetup, there's no on
> disk indication and that is not really portable anymore.
> Am 27.04.2017 um 17:09 schrieb Hendrik Brueckner:
> >Hi Milan,
> >>LUKS1 is portable format, we cannot bind the format to specific hardware.
> >We considered that point in the merge request. It keeps LUKS1 as a
> >portable format, there are no changes on the LUKS1 format or header.
> >Of course, there are some differences when using wrapped keys, but these
> >have been addressed without affecting the on-disk-format structure.
> >Thanks and kind regards,
> > Hendrik
> dm-crypt mailing list
> dm-crypt at saout.de
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt