From: "U.Mutlu" <for-gmane@mutluit.com>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] plain: opening with a wrong password
Date: Sun, 08 Feb 2015 11:09:48 +0100 [thread overview]
Message-ID: <mb7clc$mli$1@ger.gmane.org> (raw)
In-Reply-To: <54D73297.7060904@gmail.com>
Milan Broz wrote, On 02/08/2015 10:55 AM:
> On 02/08/2015 10:23 AM, Arno Wagner wrote:
>> On Sun, Feb 08, 2015 at 09:19:54 CET, Heinz Diehl wrote:
>
>> Form a purely practical perspective, the difference usually negligible.
>> Wile plain dm-crypt mounting fails at the mount-stage due to wrong
>> filesystem signatures, LUKS mounting fails at the decrypt stage.
>
> Beware, there are some combinations of the encryption mode + IV which decrypts
> the first block correctly in both cases, so fs returns correct signature
> but fs is obviously corrupted... if you are not lucky, fsck will run
> and breaks the fs irrecoverably...
>
> This cannot happen with LUKS.
>
> See here that the ext3 device created with ESSIV still have visible signature
> with plain IV:
>
> # echo "password" | cryptsetup create -c aes-cbc-essiv:sha256 -s 256 x /dev/sdb
> # mkfs -t ext3 -q /dev/mapper/x
> # blkid -p /dev/mapper/x
> /dev/mapper/x: UUID="f46ba5d8-8c26-4589-ac09-cb0829f2804f" SEC_TYPE="ext2" VERSION="1.0" TYPE="ext3" USAGE="filesystem"
>
> ... use fs
> # cryptsetup close x
>
> And now thy mistake with plain IV:
>
> # echo "password" | cryptsetup create -c aes-cbc-plain -s 256 x /dev/sdb
> # blkid -p /dev/mapper/x
> /dev/mapper/x: UUID="f46ba5d8-8c26-4589-ac09-cb0829f2804f" SEC_TYPE="ext2" VERSION="1.0" TYPE="ext3" USAGE="filesystem"
>
> # mount /dev/mapper/x /mnt/tst
> mount: wrong fs type, bad option, bad superblock on /dev/mapper/x,
> missing codepage or helper program, or other error
> ...
>
> DO NOT use plain mode if you are not sure what you are doing. Really.
>
> There is a detached LUKS header which is better, the issues I mentioned in man
> about detached header page are side problems, nothing serious for most users.
> (But obviously depends on your threat model.)
>
> Milan
But isn't it just saying that the mount cannot be done
because something is wrong, ie. wrong/incomplete cipher param was given?
What happens if you repeat the whole with the correct params?
And, should one not use "/dev/sdb1" etc. instead of "/dev/sdb"?
--
cu
Uenal
next prev parent reply other threads:[~2015-02-08 10:09 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-04 12:33 [dm-crypt] plain: opening with a wrong password U.Mutlu
2015-02-04 13:02 ` Quentin Lefebvre
2015-02-04 13:30 ` U.Mutlu
2015-02-05 11:54 ` Arno Wagner
2015-02-05 13:53 ` U.Mutlu
2015-02-05 14:04 ` U.Mutlu
2015-02-05 23:51 ` Arno Wagner
2015-02-06 14:01 ` dennis
2015-02-06 14:19 ` Michael
2015-02-06 14:47 ` U.Mutlu
2015-02-06 18:27 ` Arno Wagner
2015-02-07 17:27 ` dennis
2015-02-07 18:03 ` Heinz Diehl
2015-02-07 23:16 ` Matthias Schniedermeyer
2015-02-08 8:19 ` Heinz Diehl
2015-02-08 9:23 ` Arno Wagner
2015-02-08 9:55 ` Milan Broz
2015-02-08 10:09 ` U.Mutlu [this message]
2015-02-08 10:33 ` Milan Broz
2015-02-09 3:13 ` Arno Wagner
2015-02-08 3:07 ` Arno Wagner
2015-02-08 2:59 ` Arno Wagner
2015-02-06 14:04 ` U.Mutlu
2015-02-06 18:20 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='mb7clc$mli$1@ger.gmane.org' \
--to=for-gmane@mutluit.com \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.