[dm-crypt] dm-crypt overhead
arno at wagner.name
Fri Mar 2 09:44:43 CET 2018
sounds like you are in a really dysfunctional (security-wise)
corporate environment. Maybe your time would be better
spend trying to fix that...
On Thu, Mar 01, 2018 at 22:20:36 CET, Lukáš Pohanka wrote:
> thank you very much for a useful and informative answer. I'll have a
> look at this.
> Maybe I have a one more question: which part requires the 4.12+ kernel?
> I'm afraid I'll have to backport the changes if we decide to proceed.
> Thanks again,
> 2018-03-01 18:41 GMT+01:00 Milan Broz <gmazyland at gmail.com>:
> On 03/01/2018 03:59 PM, Lukáš Pohanka wrote:
> > thanks for clarifications. Unfortunately, we are currently
> > constrained to use only dmsetup and cannot provision the target
> > device with cryptsetup. Thus we cannot use LUKS, only plain
> > dm-crypt. Hopefully it will change in the future. However, does
> > mean there is currently no chance of using any form of
> > encryption in our case?
> you can use it just with dmsetup, but there are several steps that
> are not obvious (for example formatting dm-integrity device requires
> two steps etc).
> But it is definitely something I would not suggest :-)
> So in general (I intentionally do not want to paste exact commands,
> you have to be sure what you are doing here):
> - you will need recent-enough kernel (4.12+)
> Formatting (only once):
> - prepare block device, wipe first megabytes with zeroes
> - activate dm-integrity device (using dm-setup) with size 8 sectors,
> and with proper parameters (mainly tag size per sector) you need (do
> not use internal hash)
> - deactivate dm-integrity device
> (Steps above will format the device in-kernel, writing integrity
> Later use (normal activation):
> - activate dm-integrity device with proper data size (read from
> superblock). (In future it will be simpler.)
> - activate dm-crypt device with proper parameters above the
> dm-itegrity device
> (with proper authentication mode parameters, tag size, random IV
> - Profit. (Use top-level dm-crypt device as usual.)
> (You should probably overwrite the whole device using direct-io on
> the first
> activation to initialize auth.tags.
> Otherwise any reads, including page cache, will fail on -EILSEQ -
> integrity error.)
> The above is in principle what crypstestup is doing for you.
> Authenticated filesystem is definitely better idea, but because I
> guess in which environment you are trying to implement
> this I guess it is not an option...
> 1. mailto:gmazyland at gmail.com
> dm-crypt mailing list
> dm-crypt at saout.de
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt