From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v6.tansi.org (mail.tansi.org [87.118.116.4]) by mail.server123.net (Postfix) with ESMTP for ; Thu, 7 Apr 2016 11:46:49 +0200 (CEST) Received: from gatewagner.dyndns.org (77-57-36-72.dclient.hispeed.ch [77.57.36.72]) by v6.tansi.org (Postfix) with ESMTPA id 84AA320DC4D9 for ; Thu, 7 Apr 2016 11:46:49 +0200 (CEST) Date: Thu, 7 Apr 2016 11:46:49 +0200 From: Arno Wagner Message-ID: <20160407094649.GD21526@tansi.org> References: <57048FA2.7090008@holgerdanske.com> <20160406105535.GG9664@yeono.kjorling.se> <57056507.6020907@holgerdanske.com> <570570E1.5050708@whgl.uni-frankfurt.de> <20160407093909.GB21526@tansi.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20160407093909.GB21526@tansi.org> Subject: Re: [dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device. List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de That was a joke, BTW ;-) Regards, Arno On Thu, Apr 07, 2016 at 11:39:09 CEST, Arno Wagner wrote: > In fact, as confidental data can be written to swap, > changing the key on boot is a security feature. >=20 > Rergards, > Arno >=20 >=20 > On Wed, Apr 06, 2016 at 22:26:09 CEST, Sven Eschenberg wrote: > > Yes David, > >=20 > > You are right. And as long as you do not need persistant swap to > > i.e. store a hibernate image, it is absolutely reasonable to use a > > new random key on each boot. > >=20 > > Regards > >=20 > > -Sven > >=20 > >=20 > > Am 06.04.2016 um 21:35 schrieb David Christensen: > > >On 04/06/2016 03:55 AM, Michael Kj=F6rling wrote: > > >>On 5 Apr 2016 21:25 -0700, from dpchrist@holgerdanske.com (David > > >>Christensen): > > >>># grep sda2 /etc/crypttab > > >>>sda2_crypt /dev/sda2 /dev/urandom > > >>>cipher=3Daes-xts-plain64,size=3D256,swap > > >> > > >>Since you don't have the "luks" option, Debian does not treat this as > > >>a LUKS device. So when cryptsetup claims that /dev/sda2 "is not a > > >>valid LUKS device" it is quite correct. > > >> > > > > > >Thanks for the information. > > > > > > > > >So, RTFM 'crypttab': at boot time /sbin/cryptdisks_start will create a > > >plain dm-crypt device with target name 'sda2_crypt' > > >(/dev/mapper/sda2_crypt) from source device /dev/sda2 with a 256-bit k= ey > > >(option 'size') from file /dev/urandom and with cipher aes-xts-plain64 > > >(option 'cipher'), and then run /sbin/mkswap on the created device > > >(option 'swap') (?). > > > > > > > > >And, as plain dm-crypt devices do not have a LUKS header, > > >'luksHeaderBackup' has nothing to back up and the error message I'm > > >seeing is expected and correct (?). > > > > > > > > >David > > > > > >_______________________________________________ > > >dm-crypt mailing list > > >dm-crypt@saout.de > > >http://www.saout.de/mailman/listinfo/dm-crypt > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt >=20 > --=20 > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 97= 18 > ---- > A good decision is based on knowledge and not on numbers. -- Plato >=20 > If it's in the news, don't worry about it. The very definition of=20 > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt --=20 Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of=20 "news" is "something that hardly ever happens." -- Bruce Schneier