From: Sam <test532@codingninjas.org>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] double algorithm question
Date: Sat, 1 Aug 2009 10:48:13 -0400 [thread overview]
Message-ID: <200908011048.13980.test532@codingninjas.org> (raw)
Thanks Moji,
That will obviously provide a nice boost in performance over what I was
trying! I appreciate your help.
Regards,
Sam
> You do not need to make a filesystem on the intermediate device, because
> you treat the devices in /dev/mapper as block devices you can luksFormat
> any device that shows up in order to do cascade encryption. You just have
> to remember to close them first in last out.
>
> cryptsetup luksFormat -c aes-xts-plain /dev/sdc
> cryptsetup luksOpen /dev/sdc first_layer
> cryptsetup luksFormat -c aes-xts-plain /dev/mapper/first_layer
> cryptsetup luksOpen /dev/mapper/first second_layer
> mkfs.ext2 /dev/mapper/second_layer -m 0 -L "Test"
> mount /dev/mapper/second_layer /mnt/usb
> umount /mnt/cdrom
> cryptsetup luksClose second_layer
> cryptsetup luksClose first_layer
>
> [Of course omit the luksFormat/mkfs lines after the device is created to
> open/close the device.]
>
> I do not know of any vulnerabilities with cascade encryption, it is
> normally just excessive, but someone else might.
>
> I hope that helps you,
>
> -MJ
>
> On Sat, 1 Aug 2009 07:39:42 -0400
>
> Sam <test532@codingninjas.org> wrote:
> > Hi All,
> >
> > I am wondering if this is a good idea:
> >
> > encrypt a partition normally with cryptsetup luksFormat (using
> > aes-xts-plain), then luksOpen,
> > mkfs.ext2 format the device mapper device that appears,
> > mount it.
> > Then, create a giant file that fills up the partition.
> > losetup it that file,
> > luksFormat the loop device (using twofish-xts-plain)
> > luksOpen it,
> > mkfs.ext2 format the device mapper device that appears,
> > mount it,
> > and use it...
> >
> > My purpose is that I don't trust AES, but I don't trust twofish enough to
> > be sure it is better than AES.
> >
> > I am paranoid enough that the speed hit is acceptable.
> >
> > Questions:
> >
> > 1) is this the best way to achieve my goal with dm-crypt?
> > 2) is it secure? Or will somehow it cause my data to be less secure than
> > just using one cipher? Or will it somehow defeat the security provided by
> > XTS? (i would assume it becoming less secure in any way is impossible,
> > but i am not a cryptoanalyst, so i don't want to be assuming such
> > things).
> >
> > I know truecrypt has a feature where you specify the cipher as
> > aes-twofish. This is what I wish to achieve, but using dm-crypt.
> >
> > Regards,
> > Sam
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
next reply other threads:[~2009-08-01 14:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-01 14:48 Sam [this message]
2009-08-02 1:20 ` [dm-crypt] double algorithm question Roscoe
2009-08-02 1:43 ` Roscoe
-- strict thread matches above, loose matches on Subject: below --
2009-08-01 11:39 Sam
2009-08-01 14:10 ` Moji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200908011048.13980.test532@codingninjas.org \
--to=test532@codingninjas.org \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.