From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wy0-f178.google.com (mail-wy0-f178.google.com [74.125.82.178]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Sun, 19 Jun 2011 15:54:48 +0200 (CEST) Received: by wya21 with SMTP id 21so1372379wya.37 for ; Sun, 19 Jun 2011 06:54:48 -0700 (PDT) Message-ID: <4DFDFFA5.70404@gmail.com> Date: Sun, 19 Jun 2011 15:54:45 +0200 From: Patrick MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------080708030608050501060808" Subject: [dm-crypt] Partition mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de This is a multi-part message in MIME format. --------------080708030608050501060808 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hello, I am quite new to linux (Ubuntu) and wish to use encrypted drives. I already use LUKS encrypted disks, that's great. I have a question regarding full disk encryption. I tried to find an answer in the doc... "rtfm" did not solve it, neither did some asking on IRC channels (answers like "no that's bad!", with no further explanation as why "no" weren't just convincing enough... ;-) ). The case : I want to encrypt a full USB disk and my question is : is it mandatory to have a partition existing on the device and to luskformat the partition? In other words, is it OK to luksformat the full device, without mentionning any partition? Is it off "standards"? In fact, I tried to encrypt a full disk using something like : /sudo cryptsetup luksFormat -c aes-xts-plain -h whirlpool -s 512 /dev/sdx/ x being the device, without mentioning a partition. That apparently works perfectly well, the full device is then encrypted and can be formatted as ext4 or whatever I want it to be formatted to. I can mount it and use it. No partition is seen on the device when inserted without decrypting, good. I would like to know if this could cause some side effects, as I don't encrypt a partition but directly the device itself. Being cautious, I did create a partition for now... and did encrypt this one. The partition using the full disk... /sudo cryptsetup luksFormat -c aes-xts-plain -h whirlpool -s 512 /dev/sde1 (for example)/* * For my own knowledge I would really appreciate to know if it would be OK to luksformat a full device, without using partitions. And most of all I would like to know why (whatever yes or no the answer could be! ) Maybe is this question related to the linux "philosophy" and devices architecture that still isn't fully natural for me for now as I am an ex-Windows user, but I'm learning and happy to do so! :-) Hope you can help! Best regards, Patrick --------------080708030608050501060808 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hello,

I am quite new to linux (Ubuntu) and wish to use encrypted drives. I already use LUKS encrypted disks, that's great.
I have a question regarding full disk encryption.

I tried to find an answer in the doc... "rtfm" did not solve it, neither did some asking on IRC channels (answers like "no that's bad!", with no further explanation as why "no" weren't just convincing enough... ;-) ).

The case :
I want to encrypt a full USB disk and my question is : is it mandatory to have a partition existing on the device and to luskformat the partition? In other words, is it OK to luksformat the full device, without mentionning any partition? Is it off "standards"?

In fact, I tried to encrypt a full disk using something like :
sudo cryptsetup luksFormat -c aes-xts-plain -h whirlpool -s 512 /dev/sdx
x being the device, without mentioning a partition.

That apparently works perfectly well, the full device is then encrypted and can be formatted as ext4 or whatever I want it to be formatted to. I can mount it and use it.
No partition is seen on the device when inserted without decrypting, good.

I would like to know if this could cause some side effects, as I don't encrypt a partition but directly the device itself.

Being cautious, I did create a partition for now... and did encrypt this one. The partition using the full disk...
sudo cryptsetup luksFormat -c aes-xts-plain -h whirlpool -s 512 /dev/sde1 (for example)

For my own knowledge I would really appreciate to know if it would be OK to luksformat a full device, without using partitions. And most of all I would like to know why (whatever yes or no the answer could be! )

Maybe is this question related to the linux "philosophy" and devices architecture that still isn't fully natural for me for now as I am an ex-Windows user, but I'm learning and happy to do so! :-)

Hope you can help!
Best regards,

Patrick
--------------080708030608050501060808-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mail.saout.de (Postfix) with ESMTP for ; Sun, 19 Jun 2011 16:53:17 +0200 (CEST) Message-ID: <4DFE0D59.1090000@redhat.com> Date: Sun, 19 Jun 2011 16:53:13 +0200 From: Milan Broz MIME-Version: 1.0 References: <4DFDFFA5.70404@gmail.com> In-Reply-To: <4DFDFFA5.70404@gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Partition mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Patrick Cc: dm-crypt@saout.de On 06/19/2011 03:54 PM, Patrick wrote: > The case : I want to encrypt a full USB disk and my question is : is > it mandatory to have a partition existing on the device and to > luskformat the partition? In other words, is it OK to luksformat the > full device, without mentionning any partition? Is it off > "standards"? You can use whole device without partition table, there is no problem in Linux. For LUKS it is just block device - it is not important if it is partition or the whole device. There is only one situation, I know about, when using partition is safer. If you have portable disk (or USB flashdrive or whatever) and there is no partition table on it, and you plug such drive to another system (namely older version of Windows) it likes to offer you to "initialize" drive - which can destruct LUKS header there. If there is a partition table, it thinks that drive was already initialized preventing it. (I think it is not problem in recent versions but not sure.) Milan From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Sun, 19 Jun 2011 17:26:02 +0200 (CEST) Received: by wwg11 with SMTP id 11so1578466wwg.1 for ; Sun, 19 Jun 2011 08:26:02 -0700 (PDT) Message-ID: <4DFE1507.6020909@gmail.com> Date: Sun, 19 Jun 2011 17:25:59 +0200 From: Patrick MIME-Version: 1.0 References: <4DFDFFA5.70404@gmail.com> <4DFE0D59.1090000@redhat.com> In-Reply-To: <4DFE0D59.1090000@redhat.com> Content-Type: multipart/alternative; boundary="------------020009010305070100000805" Subject: Re: [dm-crypt] Partition mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Milan Broz Cc: dm-crypt@saout.de This is a multi-part message in MIME format. --------------020009010305070100000805 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thank you for your quick and clear answer Milan! Tha'ts really great! :D So, in the case of such a header destruction by an "old" OS, I think it is still possible to restore the header I saved using _luksHeaderBackup_ --header-backup-file doing _luksHeaderRestore_ --header-backup-file Correct? Best regards, Patrick Le 19. 06. 11 16:53, Milan Broz a =E9crit : > On 06/19/2011 03:54 PM, Patrick wrote: >> The case : I want to encrypt a full USB disk and my question is : is >> it mandatory to have a partition existing on the device and to >> luskformat the partition? In other words, is it OK to luksformat the >> full device, without mentionning any partition? Is it off >> "standards"? > You can use whole device without partition table, there is no problem > in Linux. For LUKS it is just block device - it is not important > if it is partition or the whole device. > > There is only one situation, I know about, when using partition is safer. > > If you have portable disk (or USB flashdrive or whatever) and there > is no partition table on it, and you plug such drive to > another system (namely older version of Windows) it > likes to offer you to "initialize" drive - which can destruct > LUKS header there. If there is a partition table, it thinks that > drive was already initialized preventing it. > (I think it is not problem in recent versions but not sure.) > > Milan --------------020009010305070100000805 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Thank you for your quick and clear answer Milan! Tha'ts really great! :D

So, in the case of such a header destruction by an "old" OS, I think it is still possible to restore the header I saved using

luksHeaderBackup <device> --header-backup-file <file>

doing

luksHeaderRestore <device> --header-backup-file <file>

Correct?

Best regards,

Patrick

Le 19. 06. 11 16:53, Milan Broz a écrit :

On 06/19/2011 03:54 PM, Patrick wrote:

The case : I want to encrypt a full USB disk and my question is : is
it mandatory to have a partition existing on the device and to
luskformat the partition? In other words, is it OK to luksformat the
full device, without mentionning any partition? Is it off
"standards"?

You can use whole device without partition table, there is no problem
in Linux. For LUKS it is just block device - it is not important
if it is partition or the whole device.

There is only one situation, I know about, when using partition is safer.

If you have portable disk (or USB flashdrive or whatever) and there
is no partition table on it, and you plug such drive to
another system (namely older version of Windows) it
likes to offer you to "initialize" drive - which can destruct
LUKS header there. If there is a partition table, it thinks that
drive was already initialized preventing it.
(I think it is not problem in recent versions but not sure.)

Milan

--------------020009010305070100000805-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mail.saout.de (Postfix) with ESMTP for ; Sun, 19 Jun 2011 17:46:22 +0200 (CEST) Message-ID: <4DFE19CB.1010701@redhat.com> Date: Sun, 19 Jun 2011 17:46:19 +0200 From: Milan Broz MIME-Version: 1.0 References: <4DFDFFA5.70404@gmail.com> <4DFE0D59.1090000@redhat.com> <4DFE1507.6020909@gmail.com> In-Reply-To: <4DFE1507.6020909@gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Partition mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Patrick Cc: dm-crypt@saout.de On 06/19/2011 05:25 PM, Patrick wrote: > So, in the case of such a header destruction by an "old" OS, I think > it is still possible to restore the header I saved using > > _luksHeaderBackup_ --header-backup-file > > doing > > _luksHeaderRestore_ --header-backup-file > > Correct? yes, but it s just backup of LUKS header. Not a backup of data inside:-) (with old header backup and passphrase you can unlock the drive, so store it on safe place) Milan From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Sun, 19 Jun 2011 19:47:52 +0200 (CEST) Received: by wwe5 with SMTP id 5so1879786wwe.1 for ; Sun, 19 Jun 2011 10:47:52 -0700 (PDT) Message-ID: <4DFE3641.7070100@gmail.com> Date: Sun, 19 Jun 2011 19:47:45 +0200 From: Patrick MIME-Version: 1.0 References: <4DFDFFA5.70404@gmail.com> <4DFE0D59.1090000@redhat.com> <4DFE1507.6020909@gmail.com> <4DFE19CB.1010701@redhat.com> In-Reply-To: <4DFE19CB.1010701@redhat.com> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: Re: [dm-crypt] Partition mandatory? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Milan Broz Cc: dm-crypt@saout.de Yes, sure I'll do! Thanks again for your answers! Best regards, Patrick Le 19. 06. 11 17:46, Milan Broz a =E9crit : > On 06/19/2011 05:25 PM, Patrick wrote: >> So, in the case of such a header destruction by an "old" OS, I think >> it is still possible to restore the header I saved using >> >> _luksHeaderBackup_ --header-backup-file >> >> doing >> >> _luksHeaderRestore_ --header-backup-file >> >> Correct? > yes, but it s just backup of LUKS header. Not a backup of data inside:-) > (with old header backup and passphrase you can unlock the drive, > so store it on safe place) > > Milan > >