If I want to create an encrypted v= olume, over a disk drive where there were no sensible data or there was ano= ther encrypted volume, can i skip the erasing procedure or will compromise = the security of the new encrypted volume?

--1253303424-456908044-1401370403=:94216-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v6.tansi.org (ns.km31936-01.keymachine.de [87.118.116.4]) by mail.server123.net (Postfix) with ESMTP for ; Thu, 29 May 2014 22:13:37 +0200 (CEST) Received: from gatewagner.dyndns.org (77-57-44-24.dclient.hispeed.ch [77.57.44.24]) by v6.tansi.org (Postfix) with ESMTPA id 8BC4434FA001 for ; Thu, 29 May 2014 22:13:36 +0200 (CEST) Date: Thu, 29 May 2014 22:13:35 +0200 From: Arno Wagner Message-ID: <20140529201335.GA9014@tansi.org> References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de First, I presume this is about wiping the raw volume with cryptographically striong randomness, or wriping the new encrypted volume with anything (e.g. zeros). These two come down to the same effect on the raw volume. Erasing is not recommended to remove any data that was there before (if you want that, you must erase, but it is a separate thing). Erasing is recommended to make it non-transparent where data was written in the encrypted volume. If you care, then you need to erase. Arno On Thu, May 29, 2014 at 15:33:23 CEST, Kenny Lake wrote: > If I want to create an encrypted volume, over a disk drive where there > were no sensible data or there was another encrypted volume, can i skip > the erasing procedure or will compromise the security of the new encrypted > volume? > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. - Plato From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from pizza.lunch.za.net (pizza.lunch.za.net [80.68.92.4]) by mail.server123.net (Postfix) with ESMTP for ; Fri, 30 May 2014 12:02:09 +0200 (CEST) Date: Fri, 30 May 2014 12:02:00 +0200 From: Andrew Message-ID: <20140530120200.38580d54@burger.lunch.za.net> In-Reply-To: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Kenny Lake Cc: "dm-crypt@saout.de" Hey Kenny, If you do skip over the erase during configuration, you can get the same effect of by causing the filesystem to write to every block -- dd if=/dev/zero of=uselessjunk ; \rm uselessjunk Of course, you also need to fill up the inode tables, otherwise your disk may tell how many files are on the disk. Make lots of files. If you're paranoid, or have a need to irritate security experts, use /dev/urandom instead of /dev/zero. &:-) On Thu, 29 May 2014 14:33:23 +0100 (BST) Kenny Lake wrote: > If I want to create an encrypted volume, over a disk drive where > there were no sensible data or there was another encrypted volume, > can i skip the erasing procedure or will compromise the security of > the new encrypted volume? > -- Thousands of years to mess up six days' work, and we're STILL not done From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vc0-x22d.google.com (mail-vc0-x22d.google.com [IPv6:2607:f8b0:400c:c03::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 30 May 2014 15:32:40 +0200 (CEST) Received: by mail-vc0-f173.google.com with SMTP id il7so2066610vcb.18 for ; Fri, 30 May 2014 06:32:39 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20140529201335.GA9014@tansi.org> References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> <20140529201335.GA9014@tansi.org> Date: Fri, 30 May 2014 09:32:38 -0400 Message-ID: From: Stephen Cousins Content-Type: multipart/alternative; boundary=089e0111d6b647017304fa9e14ca Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de --089e0111d6b647017304fa9e14ca Content-Type: text/plain; charset=UTF-8 I've been curious about the random data step for a while. I created an array made up of dm-crypted disks but I didn't do this step. The disks did have some data on them but not necessarily random data. What is the functional purpose of writing random data to the disk prior to encrypting them? Does the encryption process use existing data from the disk as part of it's encryption method? What would happen if dm-crypt was used on a completely blank disk? Thanks, Steve On Thu, May 29, 2014 at 4:13 PM, Arno Wagner wrote: > First, I presume this is about wiping the raw volume with > cryptographically striong randomness, or wriping the new > encrypted volume with anything (e.g. zeros). These two come > down to the same effect on the raw volume. > > Erasing is not recommended to remove any data that was there > before (if you want that, you must erase, but it is a separate > thing). Erasing is recommended to make it non-transparent where > data was written in the encrypted volume. If you care, then you > need to erase. > > Arno > > On Thu, May 29, 2014 at 15:33:23 CEST, Kenny Lake wrote: > > If I want to create an encrypted volume, over a disk drive where there > > were no sensible data or there was another encrypted volume, can i skip > > the erasing procedure or will compromise the security of the new > encrypted > > volume? > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 > ---- > A good decision is based on knowledge and not on numbers. - Plato > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- ________________________________________________________________ Steve Cousins Supercomputer Engineer/Administrator Advanced Computing Group University of Maine System 244 Neville Hall (UMS Data Center) (207) 561-3574 Orono ME 04469 steve.cousins at maine.edu --089e0111d6b647017304fa9e14ca Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

I've been curious about the random data step for a while=
. I created an array made up of dm-crypted disks but I didn't do this s=
tep. The disks did have some data on them but not necessarily random data. =
What is the functional purpose of writing random data to the disk prior to =
encrypting them? Does the encryption process use existing data from the dis=
k as part of it's encryption method? What would happen if dm-crypt was =
used on a completely blank disk?=C2=A0

Thanks,

Steve

On Thu, May 29, 2014 at 4:13 PM, Arno Wagner = <arno@wagner.name<= /a>> wrote:

First, I presume this is about wiping the ra= w volume with
cryptographically striong randomness, or wriping the new
encrypted volume with anything (e.g. zeros). These two come
down to the same effect on the raw volume.

Erasing is not recommended to remove any data that was there
before (if you want that, you must erase, but it is a separate
thing). Erasing is recommended to make it non-transparent where
data was written in the encrypted volume. If you care, then you
need to erase.

Arno

On Thu, May 29, 2014 at 15:33:23 CEST, Kenny Lake wrote:
> If I want to create an encrypted volume, over a disk drive where there=
> were no sensible data or there was another encrypted volume, can i ski= p
> the erasing procedure or will compromise the security of the new encry= pted
> volume?

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

--
Arno Wagner, =C2=A0 =C2=A0 Dr. sc. techn., Dipl. Inform., =C2=A0 =C2=A0Emai= l: arno@wagner.name
GnuPG: ID: CB5D9718 =C2=A0FP: 12D6 C03B 1B30 33BB 13CF =C2=A0B774 E35C 5FA1= CB5D 9718
----
A good decision is based on knowledge and not on numbers. - =C2=A0Plato
_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
http://www.saout.de/mailman/listinfo/dm-crypt

-- _______________________= _________________________________________
=C2=A0Steve Cousins=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Supercom= puter Engineer/Administrator
=C2=A0Advanced Co= mputing Group=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 = University of Maine System
=C2=A0244 Neville Hall (U= MS Data Center)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 (207) 561-3574
=C2=A0Orono = ME 04469=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 steve.cousins = at maine.edu

--089e0111d6b647017304fa9e14ca-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v6.tansi.org (ns.km31936-01.keymachine.de [87.118.116.4]) by mail.server123.net (Postfix) with ESMTP for ; Fri, 30 May 2014 15:42:39 +0200 (CEST) Received: from gatewagner.dyndns.org (77-57-44-24.dclient.hispeed.ch [77.57.44.24]) by v6.tansi.org (Postfix) with ESMTPA id E8AE834FA001 for ; Fri, 30 May 2014 15:42:38 +0200 (CEST) Date: Fri, 30 May 2014 15:42:38 +0200 From: Arno Wagner Message-ID: <20140530134238.GA21698@tansi.org> References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> <20140529201335.GA9014@tansi.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de If you put an encrypted volume on a blank disk, anybody getting access to the raw disk can tell where (whcih secotrs) data was written to. That can represent a hidden channel that leaks information. Arno On Fri, May 30, 2014 at 15:32:38 CEST, Stephen Cousins wrote: > I've been curious about the random data step for a while. I created an > array made up of dm-crypted disks but I didn't do this step. The disks did > have some data on them but not necessarily random data. What is the > functional purpose of writing random data to the disk prior to encrypting > them? Does the encryption process use existing data from the disk as part > of it's encryption method? What would happen if dm-crypt was used on a > completely blank disk? > > Thanks, > > Steve > > > On Thu, May 29, 2014 at 4:13 PM, Arno Wagner wrote: > > > First, I presume this is about wiping the raw volume with > > cryptographically striong randomness, or wriping the new > > encrypted volume with anything (e.g. zeros). These two come > > down to the same effect on the raw volume. > > > > Erasing is not recommended to remove any data that was there > > before (if you want that, you must erase, but it is a separate > > thing). Erasing is recommended to make it non-transparent where > > data was written in the encrypted volume. If you care, then you > > need to erase. > > > > Arno > > > > On Thu, May 29, 2014 at 15:33:23 CEST, Kenny Lake wrote: > > > If I want to create an encrypted volume, over a disk drive where there > > > were no sensible data or there was another encrypted volume, can i skip > > > the erasing procedure or will compromise the security of the new > > encrypted > > > volume? > > > > > _______________________________________________ > > > dm-crypt mailing list > > > dm-crypt@saout.de > > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > > -- > > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name > > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 > > ---- > > A good decision is based on knowledge and not on numbers. - Plato > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > > -- > ________________________________________________________________ > Steve Cousins Supercomputer Engineer/Administrator > Advanced Computing Group University of Maine System > 244 Neville Hall (UMS Data Center) (207) 561-3574 > Orono ME 04469 steve.cousins at maine.edu > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. - Plato From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vc0-x234.google.com (mail-vc0-x234.google.com [IPv6:2607:f8b0:400c:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 30 May 2014 15:52:43 +0200 (CEST) Received: by mail-vc0-f180.google.com with SMTP id hq11so116935vcb.25 for ; Fri, 30 May 2014 06:52:42 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20140530134238.GA21698@tansi.org> References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> <20140529201335.GA9014@tansi.org> <20140530134238.GA21698@tansi.org> Date: Fri, 30 May 2014 09:52:42 -0400 Message-ID: From: Stephen Cousins Content-Type: multipart/alternative; boundary=089e0111d6b608f07504fa9e5c27 Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de --089e0111d6b608f07504fa9e5c27 Content-Type: text/plain; charset=UTF-8 I see. So it has nothing to do with how well the data is encrypted. Just another level of protection as far as the scale of work someone would have to try to crack it if it looked like the whole disk was encrypted vs. just the actual data that had been written. Thanks, Steve On Fri, May 30, 2014 at 9:42 AM, Arno Wagner wrote: > If you put an encrypted volume on a blank disk, anybody getting > access to the raw disk can tell where (whcih secotrs) data was > written to. That can represent a hidden channel that leaks > information. > > Arno > > On Fri, May 30, 2014 at 15:32:38 CEST, Stephen Cousins wrote: > > I've been curious about the random data step for a while. I created an > > array made up of dm-crypted disks but I didn't do this step. The disks > did > > have some data on them but not necessarily random data. What is the > > functional purpose of writing random data to the disk prior to encrypting > > them? Does the encryption process use existing data from the disk as part > > of it's encryption method? What would happen if dm-crypt was used on a > > completely blank disk? > > > > Thanks, > > > > Steve > > > > > > On Thu, May 29, 2014 at 4:13 PM, Arno Wagner wrote: > > > > > First, I presume this is about wiping the raw volume with > > > cryptographically striong randomness, or wriping the new > > > encrypted volume with anything (e.g. zeros). These two come > > > down to the same effect on the raw volume. > > > > > > Erasing is not recommended to remove any data that was there > > > before (if you want that, you must erase, but it is a separate > > > thing). Erasing is recommended to make it non-transparent where > > > data was written in the encrypted volume. If you care, then you > > > need to erase. > > > > > > Arno > > > > > > On Thu, May 29, 2014 at 15:33:23 CEST, Kenny Lake wrote: > > > > If I want to create an encrypted volume, over a disk drive where > there > > > > were no sensible data or there was another encrypted volume, can i > skip > > > > the erasing procedure or will compromise the security of the new > > > encrypted > > > > volume? > > > > > > > _______________________________________________ > > > > dm-crypt mailing list > > > > dm-crypt@saout.de > > > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > > > > > -- > > > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: > arno@wagner.name > > > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D > 9718 > > > ---- > > > A good decision is based on knowledge and not on numbers. - Plato > > > _______________________________________________ > > > dm-crypt mailing list > > > dm-crypt@saout.de > > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > > > > > > > -- > > ________________________________________________________________ > > Steve Cousins Supercomputer Engineer/Administrator > > Advanced Computing Group University of Maine System > > 244 Neville Hall (UMS Data Center) (207) 561-3574 > > Orono ME 04469 steve.cousins at maine.edu > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 > ---- > A good decision is based on knowledge and not on numbers. - Plato > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- ________________________________________________________________ Steve Cousins Supercomputer Engineer/Administrator Advanced Computing Group University of Maine System 244 Neville Hall (UMS Data Center) (207) 561-3574 Orono ME 04469 steve.cousins at maine.edu --089e0111d6b608f07504fa9e5c27 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

I see. So it has nothing to do with how well the data is enc=
rypted. Just another level of protection as far as the scale of work someon=
e would have to try to crack it if it looked like the whole disk was encryp=
ted vs. just the actual data that had been written.=C2=A0

Thanks,

Steve

On Fri, May 30, 2014 at 9:42 AM, Arno Wagner = <arno@wagner.name<= /a>> wrote:

If you put an encrypted volume on a blank di= sk, anybody getting
access to the raw disk can tell where (whcih secotrs) data was
written to. That can represent a hidden channel that leaks
information.

Arno

On Fri, May 30, 2014 at 15:32:38 CEST, Stephen Cousins wrote:
> I've been curious about the random data step for a while. I create= d an
> array made up of dm-crypted disks but I didn't do this step. The d= isks did
> have some data on them but not necessarily random data. What is the > functional purpose of writing random data to the disk prior to encrypt= ing
> them? Does the encryption process use existing data from the disk as p= art
> of it's encryption method? What would happen if dm-crypt was used = on a
> completely blank disk?
>
> Thanks,
>
> Steve
>
>
> On Thu, May 29, 2014 at 4:13 PM, Arno Wagner <arno@wagner.name> wrote:
>
> > First, I presume this is about wiping the raw volume with
> > cryptographically striong randomness, or wriping the new
> > encrypted volume with anything (e.g. zeros). These two come
> > down to the same effect on the raw volume.
> >
> > Erasing is not recommended to remove any data that was there
> > before (if you want that, you must erase, but it is a separate > > thing). Erasing is recommended to make it non-transparent where > > data was written in the encrypted volume. If you care, then you > > need to erase.
> >
> > Arno
> >
> > On Thu, May 29, 2014 at 15:33:23 CEST, Kenny Lake wrote:
> > > If I want to create an encrypted volume, over a disk drive w= here there
> > > were no sensible data or there was another encrypted volume,= can i skip
> > > the erasing procedure or will compromise the security of the= new
> > encrypted
> > > volume?
> >
> > > _______________________________________________
> > > dm-crypt mailing list
> > > dm-crypt@saout.de > > > http://www.saout.de/mailman/listinfo/dm-crypt
> >
> >
> > --
> > Arno Wagner, =C2=A0 =C2=A0 Dr. sc. techn., Dipl. Inform., =C2=A0 = =C2=A0Email: arno@wagner.name
> > GnuPG: ID: CB5D9718 =C2=A0FP: 12D6 C03B 1B30 33BB 13CF =C2=A0B774= E35C 5FA1 CB5D 9718
> > ----
> > A good decision is based on knowledge and not on numbers. - =C2= =A0Plato
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> >
>
>
>
> --
> ________________________________________________________________
> =C2=A0Steve Cousins =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Supercom= puter Engineer/Administrator
> =C2=A0Advanced Computing Group =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0University of Maine System
> =C2=A0244 Neville Hall (UMS Data Center) =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0(207) 561-3574
> =C2=A0Orono ME 04469 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0steve.cousins at maine.edu

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

--
Arno Wagner, =C2=A0 =C2=A0 Dr. sc. techn., Dipl. Inform., =C2=A0 =C2=A0Emai= l: arno@wagner.name
GnuPG: ID: CB5D9718 =C2=A0FP: 12D6 C03B 1B30 33BB 13CF =C2=A0B774 E35C 5FA1= CB5D 9718
----
A good decision is based on knowledge and not on numbers. - =C2=A0Plato
_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
http://www.saout.de/mailman/listinfo/dm-crypt

--
= _________________________= _______________________________________
=C2=A0Steve Cousins=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Supercom= puter Engineer/Administrator
=C2=A0Advanced Co= mputing Group=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 = University of Maine System
=C2=A0244 Neville Hall (U= MS Data Center)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 (207) 561-3574
=C2=A0Orono = ME 04469=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 steve.cousins = at maine.edu

--089e0111d6b608f07504fa9e5c27-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 30 May 2014 17:12:04 +0200 (CEST) Date: Fri, 30 May 2014 17:07:01 +0200 From: Heinz Diehl Message-ID: <20140530150701.GA4281@fancy-poultry.org> References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> <20140529201335.GA9014@tansi.org> <20140530134238.GA21698@tansi.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On 30.05.2014, Stephen Cousins wrote: > I see. So it has nothing to do with how well the data is encrypted. Just > another level of protection.. Maybe. I think the practical effects are negligible. With the first minutes of use of such a disk, temporary files get written to it, files get deleted, new ones get written and old stuff gets overwritten. If the encryption is secure, all that doesn't really matter. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vc0-x22e.google.com (mail-vc0-x22e.google.com [IPv6:2607:f8b0:400c:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 30 May 2014 17:17:30 +0200 (CEST) Received: by mail-vc0-f174.google.com with SMTP id ik5so2048612vcb.33 for ; Fri, 30 May 2014 08:17:28 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20140530150701.GA4281@fancy-poultry.org> References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> <20140529201335.GA9014@tansi.org> <20140530134238.GA21698@tansi.org> <20140530150701.GA4281@fancy-poultry.org> Date: Fri, 30 May 2014 11:17:27 -0400 Message-ID: From: Stephen Cousins Content-Type: multipart/alternative; boundary=001a11c1f3ec244a7a04fa9f8b5b Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Heinz Diehl Cc: dm-crypt@saout.de --001a11c1f3ec244a7a04fa9f8b5b Content-Type: text/plain; charset=UTF-8 Hi Heinz, I agree. The field, by it's very nature, has varying levels of paranoia (rightly so as we are seeing these days) and this level is more than what I need for my purposes so I can save some time by not having to send random data to all of the drives during the build process. Steve On Fri, May 30, 2014 at 11:07 AM, Heinz Diehl wrote: > On 30.05.2014, Stephen Cousins wrote: > > > I see. So it has nothing to do with how well the data is encrypted. Just > > another level of protection.. > > Maybe. I think the practical effects are negligible. With the first > minutes of use of such a disk, temporary files get written to it, > files get deleted, new ones get written and old stuff gets > overwritten. If the encryption is secure, all that doesn't really > matter. > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- ________________________________________________________________ Steve Cousins Supercomputer Engineer/Administrator Advanced Computing Group University of Maine System 244 Neville Hall (UMS Data Center) (207) 561-3574 Orono ME 04469 steve.cousins at maine.edu --001a11c1f3ec244a7a04fa9f8b5b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Hi Heinz,

I agree. The field, by it's very nature, has varying levels of paranoia= (rightly so as we are seeing these days) and this level is more than what = I need for my purposes so I can save some time by not having to send random= data to all of the drives during the build process.

Steve

On Fri, May 30, 2014 at 11:07 AM, Heinz Diehl <htd@fancy-poultry.org> wrote:

On 30.05.2014, Stephen Cousins wrote:

> I see. So it has nothing to do with how well the data is encrypted. Ju= st

> another level of protection..

Maybe. I think the practical effects are negligible. With the first
minutes of use of such a disk, temporary files get written to it,
files get deleted, new ones get written and old stuff gets
overwritten. If the encryption is secure, all that doesn't really
matter.

_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
http://www.saout.de/mailman/listinfo/dm-crypt

--001a11c1f3ec244a7a04fa9f8b5b-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-f41.google.com (mail-wg0-f41.google.com [74.125.82.41]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 30 May 2014 17:58:23 +0200 (CEST) Received: by mail-wg0-f41.google.com with SMTP id z12so2226635wgg.24 for ; Fri, 30 May 2014 08:58:22 -0700 (PDT) Message-ID: <5388AA9C.3020909@codehawks.eu> Date: Fri, 30 May 2014 16:58:20 +0100 From: Thomas Bastiani MIME-Version: 1.0 References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> <20140529201335.GA9014@tansi.org> <20140530134238.GA21698@tansi.org> <20140530150701.GA4281@fancy-poultry.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stephen Cousins Cc: dm-crypt@saout.de On 05/30/14 16:17, Stephen Cousins wrote: > Hi Heinz, > > I agree. The field, by it's very nature, has varying levels of paranoia > (rightly so as we are seeing these days) and this level is more than what I > need for my purposes so I can save some time by not having to send random > data to all of the drives during the build process. > > Steve > I tend to do the erase pass because it doesn't have a performance cost on hard drives. On SSD's though, this would prevent TRIM from functioning properly and make the SSD appear as full to the controller which would hurt performance. So I tend to not erase SSDs with random data before encryption. The other thing is if you TRIM NAND cells on your SSD their contents should be unrecoverable as opposed to standard hard-drives. -- Thomas From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.187]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 30 May 2014 19:10:55 +0200 (CEST) Date: Fri, 30 May 2014 19:10:53 +0200 From: Heinz Diehl Message-ID: <20140530171053.GA5729@fancy-poultry.org> References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> <20140529201335.GA9014@tansi.org> <20140530134238.GA21698@tansi.org> <20140530150701.GA4281@fancy-poultry.org> <5388AA9C.3020909@codehawks.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5388AA9C.3020909@codehawks.eu> Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On 30.05.2014, Thomas Bastiani wrote: > On SSD's though, this would prevent TRIM from functioning properly > and make the SSD appear as full to the controller which would > hurt performance. If you e.g. do a "dd if=/dev/urandom of=bigfile" to a SSD drive until the partition is fully overwritten, simply deleting "bigfile" followed by a "fstrim" should restore performance to the same level as is was before. What am I missing? From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 30 May 2014 19:24:34 +0200 (CEST) Received: by mail-wg0-f52.google.com with SMTP id l18so2302554wgh.23 for ; Fri, 30 May 2014 10:24:34 -0700 (PDT) Received: from [192.168.100.89] ([80.169.147.204]) by mx.google.com with ESMTPSA id ge6sm4947255wic.0.2014.05.30.10.24.33 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 30 May 2014 10:24:33 -0700 (PDT) Message-ID: <5388BED0.90203@codehawks.eu> Date: Fri, 30 May 2014 18:24:32 +0100 From: Thomas Bastiani MIME-Version: 1.0 References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> <20140529201335.GA9014@tansi.org> <20140530134238.GA21698@tansi.org> <20140530150701.GA4281@fancy-poultry.org> <5388AA9C.3020909@codehawks.eu> <20140530171053.GA5729@fancy-poultry.org> In-Reply-To: <20140530171053.GA5729@fancy-poultry.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On 05/30/14 18:10, Heinz Diehl wrote: > On 30.05.2014, Thomas Bastiani wrote: > >> On SSD's though, this would prevent TRIM from functioning properly >> and make the SSD appear as full to the controller which would >> hurt performance. > > If you e.g. do a "dd if=/dev/urandom of=bigfile" to a SSD drive > until the partition is fully overwritten, simply deleting "bigfile" > followed by a "fstrim" should restore performance to the same level as > is was before. What am I missing? > Your first step is to dd if=/dev/urandom of=/dev/sd or an equivalent operation. This is before you even create an encrypted container and definitely below your file system... It may be that files that you create and then delete will trigger a TRIM operation if dm-crypt (and eventually LVM) are configured to pass TRIM through. But the rest of your "securely erased" drive is still not TRIM-ed. And also it doesn't make sense to configure dm-crypt to pass TRIM (with --allow-discards) if you've written random data to your drive at creation time because then you introduce another different type of side-channel leak. Does that make sense? -- Thomas From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.24]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 30 May 2014 19:47:45 +0200 (CEST) Date: Fri, 30 May 2014 19:47:43 +0200 From: Heinz Diehl Message-ID: <20140530174743.GA6376@fancy-poultry.org> References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> <20140529201335.GA9014@tansi.org> <20140530134238.GA21698@tansi.org> <20140530150701.GA4281@fancy-poultry.org> <5388AA9C.3020909@codehawks.eu> <20140530171053.GA5729@fancy-poultry.org> <5388BED0.90203@codehawks.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5388BED0.90203@codehawks.eu> Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On 30.05.2014, Thomas Bastiani wrote: > It may be that files that you create and then delete will trigger > a TRIM operation if dm-crypt (and > eventually LVM) are configured to pass TRIM through. But the rest of > your "securely erased" drive is still not TRIM-ed. As far as I know, mkfs discards blocks while creating the filesystem. So your device should be "overwritten" at that stage of the process? (I for myself never do any overwriting of harddisks, I've just asked out of sheer curiosity). From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 30 May 2014 19:57:19 +0200 (CEST) Received: by mail-wg0-f52.google.com with SMTP id l18so2341602wgh.23 for ; Fri, 30 May 2014 10:57:19 -0700 (PDT) Received: from [192.168.100.89] ([80.169.147.204]) by mx.google.com with ESMTPSA id dh1sm11814646wjc.25.2014.05.30.10.57.17 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 30 May 2014 10:57:17 -0700 (PDT) Message-ID: <5388C67D.1060004@codehawks.eu> Date: Fri, 30 May 2014 18:57:17 +0100 From: Thomas Bastiani MIME-Version: 1.0 References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> <20140529201335.GA9014@tansi.org> <20140530134238.GA21698@tansi.org> <20140530150701.GA4281@fancy-poultry.org> <5388AA9C.3020909@codehawks.eu> <20140530171053.GA5729@fancy-poultry.org> <5388BED0.90203@codehawks.eu> <20140530174743.GA6376@fancy-poultry.org> In-Reply-To: <20140530174743.GA6376@fancy-poultry.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On 05/30/14 18:47, Heinz Diehl wrote: > On 30.05.2014, Thomas Bastiani wrote: > >> It may be that files that you create and then delete will trigger >> a TRIM operation if dm-crypt (and >> eventually LVM) are configured to pass TRIM through. But the rest of >> your "securely erased" drive is still not TRIM-ed. > > As far as I know, mkfs discards blocks while creating the filesystem. > So your device should be "overwritten" at that stage of the process? > Oh cool. I had no idea. So then it would make the whole dd operation useless if you pass --allow-discards to cryptsetup. -- Thomas From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v6.tansi.org (ns.km31936-01.keymachine.de [87.118.116.4]) by mail.server123.net (Postfix) with ESMTP for ; Fri, 30 May 2014 20:08:26 +0200 (CEST) Received: from gatewagner.dyndns.org (77-57-44-24.dclient.hispeed.ch [77.57.44.24]) by v6.tansi.org (Postfix) with ESMTPA id 5652734FA001 for ; Fri, 30 May 2014 20:08:26 +0200 (CEST) Date: Fri, 30 May 2014 20:08:25 +0200 From: Arno Wagner Message-ID: <20140530180825.GA24590@tansi.org> References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> <20140529201335.GA9014@tansi.org> <20140530134238.GA21698@tansi.org> <20140530150701.GA4281@fancy-poultry.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de It requires psecific attack situations. For example, some application could write data in a specific pattern that would then be visible in the raw container. Or you could determine the size of some files or the type of the filesystem. Not anything usually critical, but something to keep in mind and when being careful the crypto-wipe step is advisible. Arno On Fri, May 30, 2014 at 17:17:27 CEST, Stephen Cousins wrote: > Hi Heinz, > > I agree. The field, by it's very nature, has varying levels of paranoia > (rightly so as we are seeing these days) and this level is more than what I > need for my purposes so I can save some time by not having to send random > data to all of the drives during the build process. > > Steve > > > On Fri, May 30, 2014 at 11:07 AM, Heinz Diehl wrote: > > > On 30.05.2014, Stephen Cousins wrote: > > > > > I see. So it has nothing to do with how well the data is encrypted. Just > > > another level of protection.. > > > > Maybe. I think the practical effects are negligible. With the first > > minutes of use of such a disk, temporary files get written to it, > > files get deleted, new ones get written and old stuff gets > > overwritten. If the encryption is secure, all that doesn't really > > matter. > > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > > -- > ________________________________________________________________ > Steve Cousins Supercomputer Engineer/Administrator > Advanced Computing Group University of Maine System > 244 Neville Hall (UMS Data Center) (207) 561-3574 > Orono ME 04469 steve.cousins at maine.edu > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. - Plato From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from fallback-in2.mxes.net (fallback-out2.mxes.net [216.86.168.191]) by mail.server123.net (Postfix) with ESMTP for ; Fri, 30 May 2014 21:11:09 +0200 (CEST) Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by fallback-in1.mxes.net (Postfix) with ESMTP id 38E582FD7D3 for ; Fri, 30 May 2014 15:03:21 -0400 (EDT) Date: Fri, 30 May 2014 20:03:08 +0100 From: Laurence Darby Message-Id: <20140530200308.81d4c1909f0ae556668d0cf4@tuffmail.com> In-Reply-To: <5388C67D.1060004@codehawks.eu> References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com> <20140529201335.GA9014@tansi.org> <20140530134238.GA21698@tansi.org> <20140530150701.GA4281@fancy-poultry.org> <5388AA9C.3020909@codehawks.eu> <20140530171053.GA5729@fancy-poultry.org> <5388BED0.90203@codehawks.eu> <20140530174743.GA6376@fancy-poultry.org> <5388C67D.1060004@codehawks.eu> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Thomas Bastiani Cc: dm-crypt@saout.de You're all missing a very important point. Have a read of http://embeddedsw.net/doc/physical_coercion.txt (a reference on http://en.wikipedia.org/wiki/Deniable_encryption) and think about if you want some random data at the end of your drive that you can't decrypt. -- Laurence Thomas Bastiani wrote: > On 05/30/14 18:47, Heinz Diehl wrote: > > On 30.05.2014, Thomas Bastiani wrote: > > > >> It may be that files that you create and then delete will trigger > >> a TRIM operation if dm-crypt (and > >> eventually LVM) are configured to pass TRIM through. But the rest of > >> your "securely erased" drive is still not TRIM-ed. > > > > As far as I know, mkfs discards blocks while creating the filesystem. > > So your device should be "overwritten" at that stage of the process? > > > > Oh cool. I had no idea. So then it would make the whole dd operation > useless if you pass --allow-discards to cryptsetup. > > -- > Thomas > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v6.tansi.org (ns.km31936-01.keymachine.de [87.118.116.4]) by mail.server123.net (Postfix) with ESMTP for ; Fri, 30 May 2014 21:25:38 +0200 (CEST) Received: from gatewagner.dyndns.org (77-57-44-24.dclient.hispeed.ch [77.57.44.24]) by v6.tansi.org (Postfix) with ESMTPA id 6AB4934FA001 for ; Fri, 30 May 2014 21:25:38 +0200 (CEST) Date: Fri, 30 May 2014 21:25:37 +0200 From: Arno Wagner Message-ID: <20140530192537.GA2617@tansi.org> References: <20140530134238.GA21698@tansi.org> <20140530150701.GA4281@fancy-poultry.org> <5388AA9C.3020909@codehawks.eu> <20140530171053.GA5729@fancy-poultry.org> <5388BED0.90203@codehawks.eu> <20140530174743.GA6376@fancy-poultry.org> <5388C67D.1060004@codehawks.eu> <20140530200308.81d4c1909f0ae556668d0cf4@tuffmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140530200308.81d4c1909f0ae556668d0cf4@tuffmail.com> Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de If you do this right (zero wipe within the opened encrypted container, as described in FAQ Item 2.19), then you can decrypt this data to zeros. Unfortunately, given the frequency that people ask about "hidden encrypted voluems" here and are completely unaware of the danger they put themselves in, I thinks educating people about this risk is a lost cause. Arno On Fri, May 30, 2014 at 21:03:08 CEST, Laurence Darby wrote: > > You're all missing a very important point. Have a read of > http://embeddedsw.net/doc/physical_coercion.txt (a reference on > http://en.wikipedia.org/wiki/Deniable_encryption) and think about if > you want some random data at the end of your drive that you can't > decrypt. > > -- > Laurence > > > > Thomas Bastiani wrote: > > > On 05/30/14 18:47, Heinz Diehl wrote: > > > On 30.05.2014, Thomas Bastiani wrote: > > > > > >> It may be that files that you create and then delete will trigger > > >> a TRIM operation if dm-crypt (and > > >> eventually LVM) are configured to pass TRIM through. But the rest of > > >> your "securely erased" drive is still not TRIM-ed. > > > > > > As far as I know, mkfs discards blocks while creating the filesystem. > > > So your device should be "overwritten" at that stage of the process? > > > > > > > Oh cool. I had no idea. So then it would make the whole dd operation > > useless if you pass --allow-discards to cryptsetup. > > > > -- > > Thomas > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. - Plato From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.13]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Sat, 31 May 2014 10:32:30 +0200 (CEST) Date: Sat, 31 May 2014 10:32:28 +0200 From: Heinz Diehl Message-ID: <20140531083228.GA3141@fancy-poultry.org> References: <20140530134238.GA21698@tansi.org> <20140530150701.GA4281@fancy-poultry.org> <5388AA9C.3020909@codehawks.eu> <20140530171053.GA5729@fancy-poultry.org> <5388BED0.90203@codehawks.eu> <20140530174743.GA6376@fancy-poultry.org> <5388C67D.1060004@codehawks.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5388C67D.1060004@codehawks.eu> Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On 30.05.2014, Thomas Bastiani wrote: > > As far as I know, mkfs discards blocks while creating the filesystem. > > So your device should be "overwritten" at that stage of the process? > Oh cool. I had no idea. So then it would make the whole dd operation > useless if you pass --allow-discards to cryptsetup. I think so. At least mkfs.xfs, mkfs.ext4 and mkfs.btrfs are discarding blocks while creating the fs. Don't know about other fs.