From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.
Date: Thu, 7 Apr 2016 11:46:49 +0200 [thread overview]
Message-ID: <20160407094649.GD21526@tansi.org> (raw)
In-Reply-To: <20160407093909.GB21526@tansi.org>
That was a joke, BTW ;-)
Regards,
Arno
On Thu, Apr 07, 2016 at 11:39:09 CEST, Arno Wagner wrote:
> In fact, as confidental data can be written to swap,
> changing the key on boot is a security feature.
>
> Rergards,
> Arno
>
>
> On Wed, Apr 06, 2016 at 22:26:09 CEST, Sven Eschenberg wrote:
> > Yes David,
> >
> > You are right. And as long as you do not need persistant swap to
> > i.e. store a hibernate image, it is absolutely reasonable to use a
> > new random key on each boot.
> >
> > Regards
> >
> > -Sven
> >
> >
> > Am 06.04.2016 um 21:35 schrieb David Christensen:
> > >On 04/06/2016 03:55 AM, Michael Kjörling wrote:
> > >>On 5 Apr 2016 21:25 -0700, from dpchrist@holgerdanske.com (David
> > >>Christensen):
> > >>># grep sda2 /etc/crypttab
> > >>>sda2_crypt /dev/sda2 /dev/urandom
> > >>>cipher=aes-xts-plain64,size=256,swap
> > >>
> > >>Since you don't have the "luks" option, Debian does not treat this as
> > >>a LUKS device. So when cryptsetup claims that /dev/sda2 "is not a
> > >>valid LUKS device" it is quite correct.
> > >>
> > >
> > >Thanks for the information.
> > >
> > >
> > >So, RTFM 'crypttab': at boot time /sbin/cryptdisks_start will create a
> > >plain dm-crypt device with target name 'sda2_crypt'
> > >(/dev/mapper/sda2_crypt) from source device /dev/sda2 with a 256-bit key
> > >(option 'size') from file /dev/urandom and with cipher aes-xts-plain64
> > >(option 'cipher'), and then run /sbin/mkswap on the created device
> > >(option 'swap') (?).
> > >
> > >
> > >And, as plain dm-crypt devices do not have a LUKS header,
> > >'luksHeaderBackup' has nothing to back up and the error message I'm
> > >seeing is expected and correct (?).
> > >
> > >
> > >David
> > >
> > >_______________________________________________
> > >dm-crypt mailing list
> > >dm-crypt@saout.de
> > >http://www.saout.de/mailman/listinfo/dm-crypt
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
>
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
> GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
>
> If it's in the news, don't worry about it. The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
prev parent reply other threads:[~2016-04-07 9:46 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-06 4:25 [dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device David Christensen
2016-04-06 5:38 ` Milan Broz
2016-04-06 5:59 ` David Christensen
2016-04-06 6:37 ` Milan Broz
2016-04-06 10:55 ` Michael Kjörling
2016-04-06 19:35 ` David Christensen
2016-04-06 20:26 ` Sven Eschenberg
2016-04-06 23:06 ` David Christensen
2016-04-07 9:39 ` Arno Wagner
2016-04-07 9:46 ` Arno Wagner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160407094649.GD21526@tansi.org \
--to=arno@wagner.name \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.