From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v6.tansi.org (ns.km31936-01.keymachine.de [87.118.116.4]) by mail.saout.de (Postfix) with ESMTP for ; Sat, 1 Mar 2014 14:50:43 +0100 (CET) Received: from gatewagner.dyndns.org (77-57-44-24.dclient.hispeed.ch [77.57.44.24]) by v6.tansi.org (Postfix) with ESMTPA id C74EB34FA001 for ; Sat, 1 Mar 2014 14:50:42 +0100 (CET) Date: Sat, 1 Mar 2014 14:50:41 +0100 From: Arno Wagner Message-ID: <20140301135041.GC395@tansi.org> References: <530F4E30.6000204@gmail.com> <530F7644.4040003@archlinux.org> <5310731F.2080701@gmail.com> <20140228214601.GA23681@tansi.org> <517e087c5ca5b9ddb2669a60df76dd51.squirrel@ssl.verfeiert.org> <20140228232742.GA24931@tansi.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [dm-crypt] [ANNOUNCE] cryptsetup 1.6.4 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Well, yes. But anybody careful or having read and understood the warnings in the FAQ will have a full backup anyays. Anybody that runs without backup is unlikely to make one now. Doing backup is sort of like working safely: It is a state of mind. One remark is not going to make people careful that are careless. But I will add it nonetheless. Arno On Sat, Mar 01, 2014 at 08:39:44 CET, Sven Eschenberg wrote: > Another things that crossed my mind: > > Currently the FAQ states in respect to the whirpool problem, to do a > header backup prior to changing the header or using reencrypt. Wouldn't it > be better to make this a minimum requirement and recommend a full backup > instead? Imagine for whatever reason some portion after the payload offset > gets damaged/overwritten, be it by mixing up numbers or because of any > unobvious bug somewhere. > > Regards > > -Sven > > > On Sat, March 1, 2014 00:27, Arno Wagner wrote: > > On Fri, Feb 28, 2014 at 23:06:30 CET, Sven Eschenberg wrote: > >> On Fri, February 28, 2014 22:46, Arno Wagner wrote: > >> > On Fri, Feb 28, 2014 at 22:26:03 CET, Sven Eschenberg wrote: > >> >> Just out of curiosity, > >> >> > >> >> Isn't it possible (yet) to override header fields during luksopen? If > >> >> not, > >> >> wouldn't it make sense to add something like that in future versions? > >> I > >> >> think it could be of great help when the header is partly damaged, to > >> be > >> >> able to override things without using a hex editor. > >> > > >> > I doubt this makes much sense. From what I have seen, > >> > usually the magic string at the start is gone as well, > >> > and then there is a real risk that people try this with > >> > the wrong data. Using a hex-editor is not that hard and > >> > using a hex-dumper is basically required to get any > >> > reasonable form of diagnostics. Even the keyslot- > >> > checker is basically a specialized hexdump tool. > >> > >> Okay, that's true. I personally do use a hexeditor too, I have to admit, > >> just thought it could help less experienced people. Then again, if > >> people > >> fail to use a hex editor chances are big they make things worse. I guess > >> I > >> didn't think this through long enough. > > > > I have a _lot_ of experience with students, some not so bright > > or experienced ;-) > > > >> >> I am aware that one could use the non-LUKS mode to open a LUKS device > >> by > >> >> passing all required parameters, admitted. But a mode where one can > >> use > >> >> what's in the header and override single fields could be interesting. > >> >> Once > >> >> the correct params are determinde this way, one could maybe add an > >> >> option > >> >> to repair the header with the given replacements (Maybe by adding the > >> >> option to reencryt?). > >> >> > >> >> Just some thoughts that crossed my mind. > >> > > >> > I doubt this really helps. Also remember that finding out what > >> > actually broke the header is important, so fiddeling around > >> > with an opaque header and commandline arguments to cryptsetup > >> > after you have analyzed a hexdump strikes me as not that effective. > >> > >> That's absolutely true, indeed. > >> > >> > > >> > I do understand that hex-editing is akward for many people, > >> > but I do not think this makes it any better or clearer. > >> > One thing that would help a bit is a header layout with > >> > hex offsets. I think I am going to add that to the FAQ. > >> > >> Good point, I'd propose adding this to the luks on disk format document > >> as > >> well. If you cannot convert HEX<->DEC inside your head having the hex > >> offsets at disposal helps alot. I admit, I used a converter when I > >> edited > >> my headers lately. > > > > Me too. For the time being, there now is a nice hex + dec table > > in FAQ Item 6.12 > > > > Arno > > -- > > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name > > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D > > 9718 > > ---- > > A good decision is based on knowledge and not on numbers. - Plato > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. - Plato