From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ee0-x22b.google.com (mail-ee0-x22b.google.com [IPv6:2a00:1450:4013:c00::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Wed, 12 Feb 2014 17:10:44 +0100 (CET) Received: by mail-ee0-f43.google.com with SMTP id c41so4409054eek.2 for ; Wed, 12 Feb 2014 08:10:43 -0800 (PST) Message-ID: <52FB9D00.5050405@gmail.com> Date: Wed, 12 Feb 2014 17:10:40 +0100 From: Milan Broz MIME-Version: 1.0 References: <20140212141908.GA9017@tansi.org> <52FB8572.7030408@archlinux.org> In-Reply-To: <52FB8572.7030408@archlinux.org> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: Re: [dm-crypt] Some questions about cryptsetup 1.6.x List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: =?ISO-8859-1?Q?Thomas_B=E4chler?= , dm-crypt@saout.de On 02/12/2014 03:30 PM, Thomas B=E4chler wrote: > Am 12.02.2014 15:19, schrieb Arno Wagner: >> -h is the hash that the plain-text password is put through >> to turn it into a binary value of certain defined length. >> -c specifies the hash that goes into pbkdf2 for the hash >> iteration. >=20 > Are you sure? >=20 > I was under the impression that '-c' only affects the cipher parameter > passed to dm-crypt - a hash would then be relevant for cipher modes like > cbc-essiv, but xts-plain64 would ignore it. Thus, cryptsetup has default > like 'aes-cbc-essiv:sha256', since essiv needs a hash, and > aes-xts-plain64, since xts does not need a hash. >=20 > According to the manpage, -h is what is used in PBKDF2 in luksFormat > mode, or to hash the passphrase in plain mode. Yes, this is correct. The -h parameter is for LUKS header (PBKDF2 + AF spli= tter). For plain mode it means algorithm to use when hashing password. For -c it is cipher/mode for kernel dmcrypt (if there is a IV spec which re= quires hash like ESSIV, then it contains hashspec as parameter). Milan