[dm-crypt] Partition mandatory?

[dm-crypt] Partition mandatory?

[Patrick]

[-- Attachment #1: Type: text/plain, Size: 1892 bytes --]

Hello,

I am quite new to linux (Ubuntu) and wish to use encrypted drives. I
already use LUKS encrypted disks, that's great.
I have a question regarding full disk encryption.

I tried to find an answer in the doc... "rtfm" did not solve it, neither
did some asking on IRC channels (answers like "no that's bad!", with no
further explanation as why "no" weren't just convincing enough... ;-)   ).

The case :
I want to encrypt a full USB disk and my question is : is it mandatory
to have a partition existing on the device and to luskformat the
partition? In other words, is it OK to luksformat the full device,
without mentionning any partition? Is it off "standards"?

In fact, I tried to encrypt a full disk using something like :
/sudo cryptsetup luksFormat -c aes-xts-plain -h whirlpool -s 512 /dev/sdx/
x being the device, without mentioning a partition.

That apparently works perfectly well, the full device is then encrypted
and can be formatted as ext4 or whatever I want it to be formatted to. I
can mount it and use it.
No partition is seen on the device when inserted without decrypting, good.

I would like to know if this could cause some side effects, as I don't
encrypt a partition but directly the device itself.

Being cautious, I did create a partition for now... and did encrypt this
one. The partition using the full disk...
/sudo cryptsetup luksFormat -c aes-xts-plain -h whirlpool -s 512
/dev/sde1 (for example)/*
*
For my own knowledge I would really appreciate to know if it would be OK
to luksformat a full device, without using partitions. And most of all I
would like to know why (whatever yes or no the answer could be! )

Maybe is this question related to the linux "philosophy" and devices
architecture that still isn't fully natural for me for now as I am an
ex-Windows user, but I'm learning and happy to do so! :-)

Hope you can help!
Best regards,

Patrick

[-- Attachment #2: Type: text/html, Size: 2722 bytes --]

Re: [dm-crypt] Partition mandatory?

[Milan Broz]

On 06/19/2011 03:54 PM, Patrick wrote:
> The case : I want to encrypt a full USB disk and my question is : is
> it mandatory to have a partition existing on the device and to
> luskformat the partition? In other words, is it OK to luksformat the
> full device, without mentionning any partition? Is it off
> "standards"?

You can use whole device without partition table, there is no problem
in Linux. For LUKS it is just block device - it is not important
if it is partition or the whole device.

There is only one situation, I know about, when using partition is safer.

If you have portable disk (or USB flashdrive or whatever) and there
is no partition table on it, and you plug such drive to
another system (namely older version of Windows) it
likes to offer you to "initialize" drive - which can destruct
LUKS header there. If there is a partition table, it thinks that
drive was already initialized preventing it.
(I think it is not problem in recent versions but not sure.)

Milan

Re: [dm-crypt] Partition mandatory?

[Patrick]

[-- Attachment #1: Type: text/plain, Size: 1464 bytes --]

Thank you for your quick and clear answer Milan! Tha'ts really great! :D

So, in the case of such a header destruction by an "old" OS, I think it
is still possible to restore the header I saved using

_luksHeaderBackup_ <device> --header-backup-file <file>

doing

_luksHeaderRestore_ <device> --header-backup-file <file>

Correct?

Best regards,

Patrick



Le 19. 06. 11 16:53, Milan Broz a écrit :
> On 06/19/2011 03:54 PM, Patrick wrote:
>> The case : I want to encrypt a full USB disk and my question is : is
>> it mandatory to have a partition existing on the device and to
>> luskformat the partition? In other words, is it OK to luksformat the
>> full device, without mentionning any partition? Is it off
>> "standards"?
> You can use whole device without partition table, there is no problem
> in Linux. For LUKS it is just block device - it is not important
> if it is partition or the whole device.
>
> There is only one situation, I know about, when using partition is safer.
>
> If you have portable disk (or USB flashdrive or whatever) and there
> is no partition table on it, and you plug such drive to
> another system (namely older version of Windows) it
> likes to offer you to "initialize" drive - which can destruct
> LUKS header there. If there is a partition table, it thinks that
> drive was already initialized preventing it.
> (I think it is not problem in recent versions but not sure.)
>
> Milan

[-- Attachment #2: Type: text/html, Size: 2011 bytes --]

Re: [dm-crypt] Partition mandatory?

[Milan Broz]

On 06/19/2011 05:25 PM, Patrick wrote:
> So, in the case of such a header destruction by an "old" OS, I think
> it is still possible to restore the header I saved using
> 
> _luksHeaderBackup_ <device> --header-backup-file <file>
> 
> doing
> 
> _luksHeaderRestore_ <device> --header-backup-file <file>
> 
> Correct?

yes, but it s just backup of LUKS header. Not a backup of data inside:-)
(with old header backup and passphrase you can unlock the drive,
so store it on safe place)

Milan

Re: [dm-crypt] Partition mandatory?

[Patrick]

Yes, sure I'll do!
Thanks again for your answers!

Best regards,

Patrick


Le 19. 06. 11 17:46, Milan Broz a écrit :
> On 06/19/2011 05:25 PM, Patrick wrote:
>> So, in the case of such a header destruction by an "old" OS, I think
>> it is still possible to restore the header I saved using
>>
>> _luksHeaderBackup_ <device> --header-backup-file <file>
>>
>> doing
>>
>> _luksHeaderRestore_ <device> --header-backup-file <file>
>>
>> Correct?
> yes, but it s just backup of LUKS header. Not a backup of data inside:-)
> (with old header backup and passphrase you can unlock the drive,
> so store it on safe place)
>
> Milan
>
>