From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <theiling@absint.com>
Received: from localhost (localhost [127.0.0.1])
	by mail.saout.de (Postfix) with ESMTP id 265FA919B
	for <dm-crypt@saout.de>; Tue,  4 Aug 2009 15:01:17 +0200 (CEST)
Received: from mail.saout.de ([127.0.0.1])
	by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 2NspfKNQo7+Q for <dm-crypt@saout.de>;
	Tue,  4 Aug 2009 15:01:12 +0200 (CEST)
Received: from mail.absint.com (one4vision-tunnel.absint.com [212.82.36.133])
	by mail.saout.de (Postfix) with ESMTP
	for <dm-crypt@saout.de>; Tue,  4 Aug 2009 15:01:11 +0200 (CEST)
Received: from localhost.localdomain (gandalf.absint.com [192.168.8.152])
	by mail.absint.com (Postfix) with SMTP id A93DD16441DA
	for <dm-crypt@saout.de>; Tue,  4 Aug 2009 15:01:11 +0200 (CEST)
In-Reply-To: <20090803234824.190ea23a@gmail.com> (Moji's message of "Mon\,
	3 Aug 2009 23\:48\:24 +0300")
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Date: Tue,  4 Aug 2009 15:01:11 +0200 (CEST)
From: theiling@absint.com (Henrik Theiling)
Message-Id: <20090804130111.A93DD16441DA@mail.absint.com>
Subject: Re: [dm-crypt] 1,5 TB partition: use cbc-essiv or xts-plain?
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

Hi!

Moji writes a lot in interesting stuff and finally:
>...
> I hope this helps you,

This helped a lot, yes, thank you!


And Milan wrote:
> Just small note: dm-crypt (kernel part) have one key per mapped
> segment, you can create as many segments with different keys (even
> with different algorithms) (imagine simple Logical Volume in LVM
> split over several areas of disk - the same logic can be used for
> crypt segments.)

Interesting!

> Only userspace (cryptsetup) is not able to configure it easily - you have to use
> dmsetup directly (or stack LVM/MD over several LUKS devices).

:-(  But at least it's possible, I did not know that.


And Heinz wrote:
> The main weaknesses are often related to a bad passphrase or different
> circumstances which makes it easy for an adversary to get it, e.g.
> writing down the passphrase or choosing not enough entropy.

Right.  I try to remember extremely long passphrases (people tend to
have strange looks on their faces when I type a hard disk passphrase),
but of course, I'm no computer. :-)

**Henrik