From: Jonas Meurer <jonas@freesources.org>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] please HELP - can't acces encrypted LVM after linux reinstallation.
Date: Mon, 31 Oct 2011 23:48:13 +0100 [thread overview]
Message-ID: <4EAF25AD.9080200@freesources.org> (raw)
In-Reply-To: <CAMw1ynTLyR6L2qMo8B=C1a8GQLE85_xBks+ctzoZMQYCyAd3ug@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 31.10.2011 23:34, schrieb Claudio Moretti:
> While I agree with you, that cryptsetup already does a lot to
> prevent data (i.e. header) loss, I don't see a reason why
> (optional) header backup at some random place on the device would
> be such a big security problem.
>
> Because it would significantly decrease the efficiency of
> cryptsetup anti-forensic features, if i'm not wrong.. Meaning that
> if the header is stored somewhere in the disk, that place should be
> traceable: if it is random, there has to be some known place where
> its location is stored; if the location information is not stored,
> but one has to analyze the entire disk to find it, analyzing the
> disk would expose the header; this applies also to the "fixed
> header location" hypothesis. That's what I think I have understood
> from previous (similar and related) discussions with Arno; please,
> correct me if I'm mistaken.
I don't suggest to hide the backup header. In fact the exact place of
it should be obvious (either fixed, or better: random but written to
the first header). Thus the second header is as obvious as the first
one. Only difference: it's not at the beginning of the device.
Unfortunately the first sectors of a device are overwritten much more
often than later sectors.
I see that a backup header - which for sure needs to be overwritten by
new luksFormat - wouldn't prevent accidents like the one explained in
the first message to this thread. Only in cases where people
accidently overwrite the first sectors of a luks device, this kind of
backup header could prevent data loss.
Greetings,
jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJOryWtAAoJEFJi5/9JEEn+wU0P/jYjfauG4Ak1C+eLZ/YzkSEH
Lf5KY5WlIip3dKSkrgtZ9EjIB71PJbDhvdA0QLG6k/5MbubrDqSIGf+rb8LvJ46n
FlaBob16VcpWbhdycgk07DRjt94lkI7IZg3LrLcK3f1xD53Ztyo96dqUlAU6jOzB
qNjhQawgViTR6YPeMozUs8fn4gPAFp5AzxdmOpvoPCuErk3A8/r7T5NBRtDROPw8
7tva1AQvoFYHh8ZmSCncTN/1h0QGMTjWVY4rVUVypk7p8axbFOUQWqpnKQ15Vee/
XfPavhd8d4ws/z0OOfMn5bLQt4c9UhWC8wbr74rt/TCkXVggx4HAUT4XHZItRkK4
8MxPZLCDxINedy1s5cpkgWFpptmqNbraf9iof2DXjQLQw1V+FABIDYXV1YxzGqc7
eWKPtpNTvhwBVYZ3PsEXIqnLTo2yrzit5/GQsk/MKgGFcJRYfK9/MqVkRWb0YNR+
tmt+H0y1TZXKm265EcryjvJ1jVJ7fylAtSbMGOW8OUHvLHTZfkzF2HZ7uhdy36RB
czEHt6WbfpZI783fjp6C3SnPNM3MJXd+UTWJN5uCaWaxWNols1mZI/Jn8M2GUDQH
TtwDDSwq/a+R63piVrvjLNJKglbjz/Km6j/Nz/VUY9B07+Ih+dPhNKOB62fl0DTW
QL8T/nDXlV4Z/IXq5Q1M
=5p2O
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2011-10-31 22:48 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-28 15:23 [dm-crypt] please HELP - can't acces encrypted LVM after linux reinstallation Aleksander Swirski
2011-10-28 15:37 ` Rick Moritz
2011-10-28 15:48 ` Aleksander Swirski
2011-10-28 15:53 ` Marc Ballarin
2011-10-28 16:03 ` Arno Wagner
2011-10-28 16:05 ` Aleksander Swirski
2011-10-28 16:24 ` Arno Wagner
2011-10-28 16:38 ` Aleksander Swirski
2011-10-28 17:20 ` Heinz Diehl
2011-10-28 18:14 ` Aleksander Swirski
2011-10-29 7:43 ` Arno Wagner
2011-10-30 16:08 ` Aleksander Swirski
2011-10-30 17:32 ` Arno Wagner
2011-10-30 18:56 ` Aleksander Swirski
2011-10-30 22:25 ` Jonas Meurer
2011-10-31 0:30 ` Aleksander Swirski
2011-10-31 3:30 ` ingo.schmitt
2011-10-31 7:18 ` Arno Wagner
2011-10-31 22:17 ` Jonas Meurer
2011-10-31 22:34 ` Claudio Moretti
2011-10-31 22:48 ` Jonas Meurer [this message]
2011-10-31 23:46 ` Claudio Moretti
2011-11-01 5:02 ` Arno Wagner
2011-11-01 4:45 ` Arno Wagner
2011-11-01 4:36 ` Arno Wagner
2011-10-31 8:47 ` Quentin Lefebvre
2011-10-31 22:56 ` Jonas Meurer
2011-10-31 22:40 ` Jonas Meurer
2011-10-29 8:15 ` Yves-Alexis Perez
2011-10-30 19:03 ` Aleksander Swirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EAF25AD.9080200@freesources.org \
--to=jonas@freesources.org \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox