On 1/27/19 6:47 PM, Wolfgang Pfeiffer wrote:
Yes, something like that is what I suspect: The actual data on disk
would be left untouched when the *disk/partition* is encrypted. I had
a look through documents explaining luks, and again and again the
topic is "disk" encryption, not "data" encryption. So maybe all that
happens is that - to use a picture - a high security prison (some sort
of crypto layer) is built around the data on disk, while leaving the
actual data untouched, and non-encrypted.
It sounds like you're unfamiliar with the implementation, and possibly
with filesystems and block devices in general. I'll try to explain,
with some simplifications. You suggested this command:
cryptsetup open --type plain -d /dev/urandom /dev/<block-device>
to_be_wiped
This creates a mapping in the kernel where blocks on the virtual device
named "to_be_wiped" are filtered through an encryption algorithm before
writing, or after reading, blocks on the physical device
/dev/<block-device>.
Running this command (unless I'm misreading the docs for the "plain"
section) doesn't actually write to or modify the content of the block
device at all. Only when you write to /dev/mapper/to_be_wiped will
encrypted data actually be written to /dev/<block-device>.
(You would normally create a new filesystem on /dev/mapper/to_be_wiped,
which would replace a small number of blocks on the disk with new blocks
containing encrypted data related to the filesystem. Again, most of the
pre-existing data isn't overwritten by that process. The old data would
not be readable through /dev/mapper/to_be_wiped, but could be directly
through /dev/<block-device>.)
The next step of the process you suggested was:
cat /dev/zero > /dev/mapper/to_be_wiped
This will write zeros to the virtual block device, which will be
filtered through the encryption algorithm and the results written to the
blocks on the physical device. This will sequentially overwrite the
contents of the physical disk.
In other words: It seems the file system is encrypted, not the data:
see the already mentioned FAQ: "Create the LUKS container" - at the
end of the section: "Done. You can now use the encrypted file system
to store data"
The command you referenced above doesn't use LUKS, but that's a minor nit.
Both the filesystem and your data are encrypted when using dm-crypt
(whether you use LUKS or not). However, creating a dm-crypt device
doesn't modify the pre-existing data. It only writes encrypted data to
the disk when data is written to the virtual device.
Does that make sense?
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx