From: Milan Broz <gmazyland@gmail.com>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] few questions on truecrypt and luks
Date: Sun, 14 Apr 2013 20:48:46 +0200 [thread overview]
Message-ID: <516AFA0E.5040704@gmail.com> (raw)
In-Reply-To: <20130414165058.GA14159@tansi.org>
On 14.4.2013 18:50, Arno Wagner wrote:
> It should also be said that TrueCrypt format is an "alien"
> option, in my view primarily for secure data-sharing with
> Windows. (Milan: If the strategic intention is different,
> please correct me.) As such, a full comparison or representation
> as primary format option is probably not a good idea.
I would just use "external on-disk format" intead of "alien"
but this was the plan - easily share data with Windows.
>> 1. truecrypt volume header is hidden while luks volume header is open.
>
> Not really. The TrueCrypt headers per default are open.
> Only if you use the "hidden Volume" option are they hidden
> and they are not hidden very well, as _that_ seems to be
> infeasible.
Hm, maybe you have two different definition of "open".
Truecrypt header should not be detectable without password
knowledge, it starts with 64 bytes random salt and rest is always
encrypted with key derived from password + optionally keyfiles.
All headers are in this format, primary, hidden and even backup header.
They are located just on different positions on disk.
So if "open" means easily detectable, truecrypt header is not
easily detectable. (That's why code need to test all combinations
of ciphers to say that password is wrong...)
>> since truecrypt also uses a header,assuming the same use cases and with the
>> same number of users,will truecrypt volume's header be corrupted at the
>> same rate luks headers will?
>
> Well, plain TrueCrypt volumes seem to include header backups (whith
> all the security problems that brings), but not for system encryption.
Truecrypt system encryption force you to burn recovery disk
which is able to fix boot loader and header problems.
And it warns you that storing iso image on encrypted disk itself is
not good idea. Twice.
When I tested my code, I reencrypted windows installation and
ignored this advice...
Then I decided to resize encrypted system with some advanced partiton tool...
(If your guess is that tool completely destroyed truecrypt header,
you are right :-)
In fact, this was proof that cryptsetup works here - because I lost
access to recovery disk but I did know passphrase, I was able to open
the device with cryptsetup and backup header located in old position,
read and burn recovery image and fix the whole disk.
Lessons learned :)
Milan
next prev parent reply other threads:[~2013-04-14 18:48 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-13 21:39 [dm-crypt] few questions on truecrypt and luks .. ink ..
2013-04-14 8:40 ` Milan Broz
2013-04-14 16:56 ` .. ink ..
2013-04-14 17:32 ` Milan Broz
2013-04-14 17:48 ` .. ink ..
2013-04-14 19:25 ` Milan Broz
2013-04-14 23:19 ` .. ink ..
2013-04-14 16:50 ` Arno Wagner
2013-04-14 18:48 ` Milan Broz [this message]
2013-04-14 20:23 ` Arno Wagner
2013-04-15 13:47 ` octane indice
2013-04-15 14:59 ` Arno Wagner
2013-04-15 22:40 ` Jonas Meurer
2013-04-16 8:26 ` octane indice
2013-04-16 16:44 ` Arno Wagner
2013-04-16 18:27 ` .. ink ..
2013-04-16 22:44 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=516AFA0E.5040704@gmail.com \
--to=gmazyland@gmail.com \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.