From: Sam <test532@codingninjas.org>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] double algorithm question
Date: Sat, 1 Aug 2009 10:48:13 -0400 [thread overview]
Message-ID: <200908011048.13980.test532@codingninjas.org> (raw)
Thanks Moji,
That will obviously provide a nice boost in performance over what I was
trying! I appreciate your help.
Regards,
Sam
> You do not need to make a filesystem on the intermediate device, because
> you treat the devices in /dev/mapper as block devices you can luksFormat
> any device that shows up in order to do cascade encryption. You just have
> to remember to close them first in last out.
>
> cryptsetup luksFormat -c aes-xts-plain /dev/sdc
> cryptsetup luksOpen /dev/sdc first_layer
> cryptsetup luksFormat -c aes-xts-plain /dev/mapper/first_layer
> cryptsetup luksOpen /dev/mapper/first second_layer
> mkfs.ext2 /dev/mapper/second_layer -m 0 -L "Test"
> mount /dev/mapper/second_layer /mnt/usb
> umount /mnt/cdrom
> cryptsetup luksClose second_layer
> cryptsetup luksClose first_layer
>
> [Of course omit the luksFormat/mkfs lines after the device is created to
> open/close the device.]
>
> I do not know of any vulnerabilities with cascade encryption, it is
> normally just excessive, but someone else might.
>
> I hope that helps you,
>
> -MJ
>
> On Sat, 1 Aug 2009 07:39:42 -0400
>
> Sam <test532@codingninjas.org> wrote:
> > Hi All,
> >
> > I am wondering if this is a good idea:
> >
> > encrypt a partition normally with cryptsetup luksFormat (using
> > aes-xts-plain), then luksOpen,
> > mkfs.ext2 format the device mapper device that appears,
> > mount it.
> > Then, create a giant file that fills up the partition.
> > losetup it that file,
> > luksFormat the loop device (using twofish-xts-plain)
> > luksOpen it,
> > mkfs.ext2 format the device mapper device that appears,
> > mount it,
> > and use it...
> >
> > My purpose is that I don't trust AES, but I don't trust twofish enough to
> > be sure it is better than AES.
> >
> > I am paranoid enough that the speed hit is acceptable.
> >
> > Questions:
> >
> > 1) is this the best way to achieve my goal with dm-crypt?
> > 2) is it secure? Or will somehow it cause my data to be less secure than
> > just using one cipher? Or will it somehow defeat the security provided by
> > XTS? (i would assume it becoming less secure in any way is impossible,
> > but i am not a cryptoanalyst, so i don't want to be assuming such
> > things).
> >
> > I know truecrypt has a feature where you specify the cipher as
> > aes-twofish. This is what I wish to achieve, but using dm-crypt.
> >
> > Regards,
> > Sam
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
next reply other threads:[~2009-08-01 14:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-01 14:48 Sam [this message]
2009-08-02 1:20 ` [dm-crypt] double algorithm question Roscoe
2009-08-02 1:43 ` Roscoe
-- strict thread matches above, loose matches on Subject: below --
2009-08-01 11:39 Sam
2009-08-01 14:10 ` Moji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200908011048.13980.test532@codingninjas.org \
--to=test532@codingninjas.org \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox