Re: [dm-crypt] please HELP - can't acces encrypted LVM after linux reinstallation.

DM-Crypt Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Jonas Meurer <jonas@freesources.org>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] please HELP - can't acces encrypted LVM after linux reinstallation.
Date: Mon, 31 Oct 2011 23:17:57 +0100	[thread overview]
Message-ID: <4EAF1E95.1070203@freesources.org> (raw)
In-Reply-To: <20111031071832.GA9071@tansi.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 31.10.2011 08:18, schrieb Arno Wagner:
> In addition, any kind of automatic header backup breaks the LUKS
> security model and needs to come with a very clear warning if
> automatized (as in an installer). The problem is that old
> passphrases will be stored and will survive deletion in the active
> LUKS header. That is not good at all.

While I agree with you, that cryptsetup already does a lot to prevent
data (i.e. header) loss, I don't see a reason why (optional) header
backup at some random place on the device would be such a big security
problem.
For sure the exact place of backup header would be stored in the first
header, and any cryptsetup action which changes/whipes (parts of) the
header, would need to do this for the backup header as well.

Overwriting the first kbytes of device would no longer be sufficient.
Instead overwriting the header would require to actually overwrite
both first and backup header. But that's the only drawback I can see
so far.

I guess that I missed something important.

Greetings,
 jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOrx6UAAoJEFJi5/9JEEn+rIEQAILZUrOjqRp9mVh7njfux7Vb
6BUu2dHMyL+gLbszh8igR40UCxVh2UFfH1PSSU48wrd/IX8XYBy2YqMF0QQVyHPC
/dtExqdC31XZdA7eS8UrVGW3imkCB0XSnVkWPcV14SdyLO7ormMIMme3fi8TaJQk
7n0WJ6k3c613SV3BnDCut0940k/Q8NmCtKNqFyTU0ZKgfE6gYkf57n+DQgqOfFzi
3tftq4zpZgORxXU5aTGE9IFGM63T3ZpfJQTYOXt7Hez4EpnX6ly1QQO3JkknYHwr
51tXKsWceMVVY92NdUxQZ6WWUfKrLUdZNPy6TL/ZG7bviSj36OFcpQkYP4lxfrD+
hWVObY1R6kt73UcCZNRYSJYtl4q5BSxI61i0k/PecDjEfZmE6lZlIjKS2XNzh6O4
jsfd9JXZ9n/R7RCiG1BRdTET8MDxnM//Q5Iqes84ume8yuLInP4AP50/uxg1e3SL
UZ0+nlDofRd/cMtse92ggFbw8ZuHQtNV1TKU5dbFLXxaei1ymadT/fmdXSFHBlCQ
Qex1FrDxnBYMEtnZaR5Md5huVwQSb6+LvToSVjeZ53spq+JPp8HXFo0HCCEDwuPE
1j562nElqYfRkXPohGr2QkVvy2lze2tnJpk9ocPfy1gsokY/cyh6y01DWOz9JdA6
rAmoNpPLdd+E4taTu3ZM
=BQD4
-----END PGP SIGNATURE-----

next prev parent reply	other threads:[~2011-10-31 22:18 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-10-28 15:23 [dm-crypt] please HELP - can't acces encrypted LVM after linux reinstallation Aleksander Swirski
2011-10-28 15:37 ` Rick Moritz
2011-10-28 15:48   ` Aleksander Swirski
2011-10-28 15:53 ` Marc Ballarin
2011-10-28 16:03   ` Arno Wagner
2011-10-28 16:05     ` Aleksander Swirski
2011-10-28 16:24       ` Arno Wagner
2011-10-28 16:38         ` Aleksander Swirski
2011-10-28 17:20           ` Heinz Diehl
2011-10-28 18:14             ` Aleksander Swirski
2011-10-29  7:43               ` Arno Wagner
2011-10-30 16:08                 ` Aleksander Swirski
2011-10-30 17:32                   ` Arno Wagner
2011-10-30 18:56                     ` Aleksander Swirski
2011-10-30 22:25                       ` Jonas Meurer
2011-10-31  0:30                         ` Aleksander Swirski
2011-10-31  3:30                           ` ingo.schmitt
2011-10-31  7:18                             ` Arno Wagner
2011-10-31 22:17                               ` Jonas Meurer [this message]
2011-10-31 22:34                                 ` Claudio Moretti
2011-10-31 22:48                                   ` Jonas Meurer
2011-10-31 23:46                                     ` Claudio Moretti
2011-11-01  5:02                                       ` Arno Wagner
2011-11-01  4:45                                     ` Arno Wagner
2011-11-01  4:36                                 ` Arno Wagner
2011-10-31  8:47                           ` Quentin Lefebvre
2011-10-31 22:56                             ` Jonas Meurer
2011-10-31 22:40                           ` Jonas Meurer
2011-10-29  8:15               ` Yves-Alexis Perez
2011-10-30 19:03                 ` Aleksander Swirski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4EAF1E95.1070203@freesources.org \
    --to=jonas@freesources.org \
    --cc=dm-crypt@saout.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox