From: Milan Broz <gmazyland@gmail.com>
To: "Dale R. Worley" <worley@alum.mit.edu>,
Drake Wilson <drake@dasyatidae.net>
Cc: util-linux@vger.kernel.org
Subject: Re: LUKS partition types, redux
Date: Fri, 21 Nov 2014 08:47:40 +0100 [thread overview]
Message-ID: <546EEE1C.102@gmail.com> (raw)
In-Reply-To: <201411202133.sAKLXSZP006667@hobgoblin.ariadne.com>
On 11/20/2014 10:33 PM, Dale R. Worley wrote:
>> From: Drake Wilson <drake@dasyatidae.net>
>
>> I might support an extension
>> proposal to allow (but not require) a type for the underlying volume to
>> be added as part of the _LUKS_ header, therefore (probably using a GPT
>> type just for convenience).
>
> That sounds like a better proposal to me. But I have no idea whether
> LUKS can support such an extension.
If I understand it correctly, you want to duplicate some UUID stored
in LUKS container payload to LUKS header?
LUKS will not support such extension. For two reasons:
- there is a clear layer separation, LUKS handle block layer encryption,
treating container data as a block device. It doesn't care about any
signatures or whatever is contained in data.
This information can be stored elsewhere (UUID in fstab of underlying device,
for example) but not in the LUKS header.
- for security reasons: if you add visible UUID of data inside container,
now you have definitely at least part of plaintext/ciphertext pair
available for attacker (UUID is stored on fixed offset).
Not that it makes possible ciphertext modification attacks to devices without
integrity protection much worse... but use this concept as a design decision
in a security tool would be just ridiculous.
Milan
next prev parent reply other threads:[~2014-11-21 7:47 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-19 20:59 LUKS partition types, redux Drake Wilson
2014-11-19 22:24 ` Dale R. Worley
2014-11-19 22:37 ` Drake Wilson
2014-11-20 21:33 ` Dale R. Worley
2014-11-21 7:47 ` Milan Broz [this message]
2014-11-21 7:54 ` LUKS partition types, redux (wandering into the weeds) Drake Wilson
2014-11-20 16:43 ` Bug#770211: LUKS partition types, redux Phillip Susi
2014-11-24 4:45 ` Drake Wilson
2014-11-24 14:33 ` Phillip Susi
2014-11-24 14:37 ` Drake Wilson
2014-11-24 14:45 ` Phillip Susi
2014-11-24 14:48 ` Drake Wilson
2014-11-24 14:58 ` Phillip Susi
2014-11-24 15:04 ` Drake Wilson
2014-11-24 15:09 ` Phillip Susi
2014-11-24 16:10 ` Karel Zak
2014-11-24 16:27 ` Phillip Susi
2014-11-25 15:18 ` Dale R. Worley
2014-11-24 11:37 ` Karel Zak
2014-11-24 12:09 ` Drake Wilson
2014-11-24 14:42 ` Phillip Susi
2014-11-24 15:46 ` Karel Zak
2014-11-24 19:56 ` Bruce Dubbs
2014-11-25 11:26 ` Karel Zak
2014-11-25 15:36 ` Bruce Dubbs
2014-11-25 15:20 ` Dale R. Worley
2014-11-24 15:48 ` Dale R. Worley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=546EEE1C.102@gmail.com \
--to=gmazyland@gmail.com \
--cc=drake@dasyatidae.net \
--cc=util-linux@vger.kernel.org \
--cc=worley@alum.mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.