From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wagner@tansi.org>
Received: from v6.tansi.org (ns.km31936-01.keymachine.de [87.118.116.4])
 by mail.saout.de (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Thu, 13 Feb 2014 06:57:21 +0100 (CET)
Received: from gatewagner.dyndns.org (77-57-44-24.dclient.hispeed.ch
 [77.57.44.24]) by v6.tansi.org (Postfix) with ESMTPA id D33FA20DC239
 for <dm-crypt@saout.de>; Thu, 13 Feb 2014 06:57:20 +0100 (CET)
Date: Thu, 13 Feb 2014 06:57:20 +0100
From: Arno Wagner <arno@wagner.name>
Message-ID: <20140213055719.GA18962@tansi.org>
References: <CAHeB2AkF00MADGMEbypPnVcenKa-NeVbaMbRMQjcP1r2QvmPOA@mail.gmail.com>
 <20140212141908.GA9017@tansi.org> <52FB8572.7030408@archlinux.org>
 <52FB9D00.5050405@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <52FB9D00.5050405@gmail.com>
Subject: Re: [dm-crypt] Some questions about cryptsetup 1.6.x
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On Wed, Feb 12, 2014 at 17:10:40 CET, Milan Broz wrote:
> On 02/12/2014 03:30 PM, Thomas B=E4chler wrote:
> > Am 12.02.2014 15:19, schrieb Arno Wagner:
> >> -h is the hash that the plain-text password is put through
> >> to turn it into a binary value of certain defined length.
> >> -c specifies the hash that goes into pbkdf2 for the hash
> >> iteration.
> >=20
> > Are you sure?
> >=20
> > I was under the impression that '-c' only affects the cipher parameter
> > passed to dm-crypt - a hash would then be relevant for cipher modes like
> > cbc-essiv, but xts-plain64 would ignore it. Thus, cryptsetup has default
> > like 'aes-cbc-essiv:sha256', since essiv needs a hash, and
> > aes-xts-plain64, since xts does not need a hash.
> >=20
> > According to the manpage, -h is what is used in PBKDF2 in luksFormat
> > mode, or to hash the passphrase in plain mode.
>=20
> Yes, this is correct. The -h parameter is for LUKS header (PBKDF2 + AF sp=
litter).
> For plain mode it means algorithm to use when hashing password.
>=20
> For -c it is cipher/mode for kernel dmcrypt (if there is a IV spec which =
requires
> hash like ESSIV, then it contains hashspec as parameter).
>=20
> Milan

Just added clarifications for -c and -h to the man-page. That
I was confused about their meaning shows that it was not clear
enough ;-)

Arno
--=20
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato