Hi there, I'm about to encrypt my disk with loop-aes, and I'm wondering whether this is a clever move: 1. The introduction (in German) at http://wiki.chaostreff.ch/index.php/Festplattenverschl%C3%BCsselung recommends not to use AES but to prefer Twofish. In addition, GnuPG uses CAST5 as default for symmetric encryption. What is the state-of-the-art here? 2. The text at http://mareichelt.de/pub/texts.cryptoloop.php warns against mainline cryptoloop: "Both cryptoloop and dm-crypt in kernels prior to 2.6.10 are vulnerable, and even recent dm-crypt still suffers from a weak crypto implementation." What is weak here? 3. The German Linux-Magazin 10/06 (http://www.linux-magazin.de) features an article by Peter Gutmann and Christian Ney, where they analyze different types of crypto filesystems. They recommend Truecrypt, dm-crypt is second, and they essentially warn against loop-aes: They state that the code is complex and written in such a way that it is difficult to judge whether it does what it is supposed to do. In addition, return values are never checked (e.g., when computing encryption keys), which might lead to a key consisting of just zeros. However, the code is so sloppy that programs are more likely to crash with null-pointer dereferences than to use empty keys. Besides, they complain that by default passwords are not salted and password hash iterations are not used. The part about code quality sounds scary. Opinions? Concerning salting and iterations, for my root partition, I just have to uncomment to lines in build-initrd.sh, right? Concerning Example 2 in the loop-aes README (partition backed loop with gpg encrypted keys), I get salting and iterations with the gpg patch provided with loop-aes, right? I'm curious... Jens - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
