From: Milan Broz <gmazyland@gmail.com>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Encrypt all partitions with dm-crypt
Date: Fri, 24 Aug 2012 16:01:11 +0200 [thread overview]
Message-ID: <50378927.7090508@gmail.com> (raw)
In-Reply-To: <20120823193415.GA31534@tansi.org>
On 08/23/2012 09:34 PM, Arno Wagner wrote:
>> Well, you can have detached LUKS header on USB flash disk (optionally
>> with the whole boot partition) for example.
>
> That is not really a good idea. LUKS on Flash/SSD may not work
> as intended. I just added an entry for that to the FAQ (5.17).
> For some scenarios, plain dm-cryp is just the way to go.
> Of course, it requires some understanding, e.g. a high-entropy
> passphrase is a must.
(Where do you want to store that high-entropy passphrase?
I guess most of people will use... USB disk?)
Well, I think it is not that simple. You MUST HAVE high-entropy
passphrase in plain dmcrypt because encryption key is directly
computed (hash) from it.
Too easy for people to do this step wrong, which causes worse problems
than flash disk problems.
(Moreover, strandards like FIPS140 explicitly forbids any encryption key
derived directly from passphrases.)
LUKS uses kernel RNG to generate encryption key, always.
There is currently a lot of effort to ensure that /dev/urandom
cannot produce weak data even in extreme situations.
One problem is safe manipulation with keyslot on device, the second is separation
of metadata information (LUKS keyslots in this case) from data device.
(Dictionary attack is not possible for LUKS device if header is not available,
but it is possible for plain dm-crypt with weak passphrase.)
I have several notes to this disk/flash/SSD and will post it as separate mail...
But anyway, it all depends on threat model.
If it is only about securing data when laptop is stolen, no problem to
use SSD or flash disks. This should be mentioned IMHO because it is
most common use case.
Milan
next prev parent reply other threads:[~2012-08-24 14:01 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-22 12:10 [dm-crypt] Encrypt all partitions with dm-crypt Stayvoid
2012-08-22 12:24 ` Arno Wagner
2012-08-22 15:40 ` Stayvoid
2012-08-22 15:52 ` Heinz Diehl
2012-08-22 15:54 ` Matthew Monaco
2012-08-22 15:57 ` Javier Juan Martínez Cabezón
2012-08-23 7:28 ` Arno Wagner
2012-08-23 9:00 ` Christophe
2012-08-23 11:27 ` Arno Wagner
2012-08-23 14:12 ` Heinz Diehl
2012-08-23 15:10 ` Christophe
2012-08-23 16:07 ` Arno Wagner
2012-08-23 18:12 ` Milan Broz
2012-08-23 19:34 ` Arno Wagner
2012-08-24 14:01 ` Milan Broz [this message]
2012-08-24 14:40 ` Heinz Diehl
2012-08-24 15:14 ` Arno Wagner
2012-09-05 4:21 ` Stayvoid
2012-09-05 13:01 ` Arno Wagner
2012-09-06 12:54 ` Stayvoid
2012-09-06 16:46 ` Arno Wagner
2012-09-06 17:53 ` Heinz Diehl
2012-09-06 19:58 ` Arno Wagner
2012-09-07 16:10 ` Stayvoid
2012-09-07 19:04 ` Arno Wagner
2012-09-08 2:50 ` Stayvoid
2012-09-08 7:01 ` Milan Broz
2012-09-09 16:21 ` Stayvoid
2012-09-15 0:52 ` Stayvoid
2012-09-15 1:09 ` Matthew Monaco
2012-09-15 1:10 ` Matthew Monaco
2012-09-20 7:13 ` Stayvoid
2012-09-20 9:18 ` Javier Juan Martínez Cabezón
2012-09-21 5:01 ` Stayvoid
2012-09-21 10:01 ` Arno Wagner
2012-09-21 18:14 ` Stayvoid
2012-09-22 22:36 ` Stayvoid
2012-09-25 3:12 ` Stayvoid
2012-09-25 6:31 ` Matthew Monaco
2012-09-25 7:13 ` Stayvoid
2012-09-25 13:58 ` Stayvoid
2012-09-25 19:06 ` Matthew Monaco
2012-09-25 23:54 ` Stayvoid
2012-09-26 2:12 ` Matthew Monaco
2012-09-26 8:23 ` Stayvoid
2012-09-26 9:24 ` Matthew Monaco
2012-09-26 10:49 ` Stayvoid
2012-09-26 10:51 ` Stayvoid
2012-09-26 11:13 ` Matthew Monaco
2012-09-26 23:34 ` Stayvoid
2012-09-15 6:13 ` Javier Juan Martínez Cabezón
2012-09-08 8:13 ` Heinz Diehl
2012-09-08 13:26 ` Arno Wagner
2012-09-08 14:37 ` Heinz Diehl
2012-09-08 16:05 ` Arno Wagner
2012-09-08 16:39 ` Heinz Diehl
2012-09-08 19:36 ` Arno Wagner
2012-09-08 14:58 ` Marc MERLIN
2012-09-19 4:15 ` Two Spirit
2012-09-19 4:52 ` Javier Juan Martínez Cabezón
2012-09-19 5:13 ` Arno Wagner
2012-08-24 14:47 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50378927.7090508@gmail.com \
--to=gmazyland@gmail.com \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.