From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Two questions about LUKS2 format
Date: Fri, 29 Dec 2017 21:45:21 +0100 [thread overview]
Message-ID: <20171229204521.GB5569@tansi.org> (raw)
In-Reply-To: <96800494.44464.1514565671467@ichabod.co-bxl>
Hi,
On Fri, Dec 29, 2017 at 17:41:11 CET, Geo Kozey wrote:
> 1. When creating new container with experimental ciphers, i.e. chacha20, the output of luksDump shows:
>
> Data segments:
> 0: crypt
> offset: 4194304 [bytes]
> length: (whole device)
> cipher: chacha20-random
> sector: 512 [bytes]
> integrity: poly1305
>
> Keyslots:
> 0: luks2
> Key: 256 bits
> Priority: normal
> Cipher: aes-xts-plain64
> PBKDF: argon2i
> Time cost: 4
>
> Why "Cipher: aes-xts-plain64" is shown under Keyslots metadata and is different than "cipher: chacha20-random" from Data segments?
Interesting. I assume the cipher in the keyslot is the one used
in the AF protection? In the old header there was no cipher-spec
for the keyslot, things were hard-coded.
> 2. What happens when we create new luks container with argon2 as PBKDF
> under system with huge amount of RAM then try opening it under system with
> much lower amount (so memory cost will be higher than physical memory
> available)? Will it open but slower or will it fail?
Interesting question. I would think that it should not open by
default and instead give an error. The rationale for that would
be that if memory is low enough, it could get so much slower that
people would assume it is broken. That is never good.
It may be a good idea to have an option --ignore-insufficient-kdf-memory
in addition, with a warning that things can get catastrophically slow,
i.e. may take years or longer.
Incidentally, I will start a LUKS2 FAQ section when I find the
time.Questions like these are a good starting point.
Regards,
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
prev parent reply other threads:[~2017-12-29 20:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-29 16:41 [dm-crypt] Two questions about LUKS2 format Geo Kozey
2017-12-29 17:10 ` Milan Broz
2017-12-29 20:47 ` Arno Wagner
2017-12-29 20:45 ` Arno Wagner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171229204521.GB5569@tansi.org \
--to=arno@wagner.name \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox