From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by mail.saout.de (Postfix) with ESMTP id DB9498FCC for ; Sat, 1 Aug 2009 16:49:12 +0200 (CEST) Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOjGw-4lnlya for ; Sat, 1 Aug 2009 16:49:08 +0200 (CEST) Received: from op7.codingninjas.org (op7.codingninjas.org [209.222.52.116]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Sat, 1 Aug 2009 16:49:08 +0200 (CEST) Received: from sschai.localnet (CPE0080c6e9d913-CM000f9f4fecc0.cpe.net.cable.rogers.com [99.249.56.245]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by op7.codingninjas.org (Postfix) with ESMTPSA id 04F184E227E for ; Sat, 1 Aug 2009 10:49:07 -0400 (EDT) From: Sam Date: Sat, 1 Aug 2009 10:48:13 -0400 MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200908011048.13980.test532@codingninjas.org> Subject: Re: [dm-crypt] double algorithm question List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Thanks Moji, That will obviously provide a nice boost in performance over what I was trying! I appreciate your help. Regards, Sam > You do not need to make a filesystem on the intermediate device, because > you treat the devices in /dev/mapper as block devices you can luksFormat > any device that shows up in order to do cascade encryption. You just have > to remember to close them first in last out. > > cryptsetup luksFormat -c aes-xts-plain /dev/sdc > cryptsetup luksOpen /dev/sdc first_layer > cryptsetup luksFormat -c aes-xts-plain /dev/mapper/first_layer > cryptsetup luksOpen /dev/mapper/first second_layer > mkfs.ext2 /dev/mapper/second_layer -m 0 -L "Test" > mount /dev/mapper/second_layer /mnt/usb > umount /mnt/cdrom > cryptsetup luksClose second_layer > cryptsetup luksClose first_layer > > [Of course omit the luksFormat/mkfs lines after the device is created to > open/close the device.] > > I do not know of any vulnerabilities with cascade encryption, it is > normally just excessive, but someone else might. > > I hope that helps you, > > -MJ > > On Sat, 1 Aug 2009 07:39:42 -0400 > > Sam wrote: > > Hi All, > > > > I am wondering if this is a good idea: > > > > encrypt a partition normally with cryptsetup luksFormat (using > > aes-xts-plain), then luksOpen, > > mkfs.ext2 format the device mapper device that appears, > > mount it. > > Then, create a giant file that fills up the partition. > > losetup it that file, > > luksFormat the loop device (using twofish-xts-plain) > > luksOpen it, > > mkfs.ext2 format the device mapper device that appears, > > mount it, > > and use it... > > > > My purpose is that I don't trust AES, but I don't trust twofish enough to > > be sure it is better than AES. > > > > I am paranoid enough that the speed hit is acceptable. > > > > Questions: > > > > 1) is this the best way to achieve my goal with dm-crypt? > > 2) is it secure? Or will somehow it cause my data to be less secure than > > just using one cipher? Or will it somehow defeat the security provided by > > XTS? (i would assume it becoming less secure in any way is impossible, > > but i am not a cryptoanalyst, so i don't want to be assuming such > > things). > > > > I know truecrypt has a feature where you specify the cipher as > > aes-twofish. This is what I wish to achieve, but using dm-crypt. > > > > Regards, > > Sam > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt