Re: Status in 2007 of: loop-aes VS dm-crypt VS truecrypt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think a lot of people would be very interested to see a fresh, detailed, competent analysis of the points you have raised, including a lot of security and forensic professionals.

Be aware that some of these points have been the subject of fairly heated debate between the dm-crypt and loop-aes camps in the past.  Hopefully that era is over.

One reason perhaps that loop-aes has a steady but small following is the dm-crypt people seemed to respond very poorly to Jari's critiicisms for quite a while, ducking and weaving, flaming, and calling these "FUD".  To my mind this damaged their credibility quite a lot and raised more issues.

When criticisms are not responded to carefully and with prompt action where necessary, it is prudent  put a question mark next to that software.  I note that Truecrypt addressed the LRW issue quickly.

The only scathing criticism I have ever read of loop-aes 3.x  (by Peter Guttman) is that the code is very hard to follow and therefore it is difficult to verify that it is working exactly as advertised.  Jari agreed fully with that criticism and did not attempt to avoid it.

I do not know if he has attempted to make the code more readable.

Re: kernel upgrades: with loop-aes, obviously you have to rebuild the loop-aes modules with the new kernel.  Loop-aes is designed to be backwards-compatible (see the chart in the readme) so will mount partitions encrypted with earlier versions (but visa-versa should not be attempted).

I don't know the situation with the device mapper-based stuff, but I do know that the precompiled Truecrypt rpm never works with Fedora for me when it is supposed to  - I always have to compile truecrypt from source. 












John Smith <the.real.monkey.d.luffy@xxxxxxxxx> wrote:
Hi,

I will soon build a new system and it's time to make a choice between
loop-aes and dm-crypt.
I will use full disk encryption, where only the bootlader and initrd
will be plaintext while residing in a separate partition.
Truecrypt will also be used and will run on top of the chosen device
mapper. (Yes, I will use 2 encryption systems simultaneously)

I've read that loop-aes is more secure than dm-crypt, but also the
contrary. However, the only justification I've seen was that there was
a bug in both dm-crypt and truecrypt, that, as of today, has been
fixed.


Some references:

Debian 4 (Etch) install manual
http://www.debian.org/releases/stable/amd64/ch06s03.html.en
-> "The default method is dm-crypt (included in newer Linux kernels,
able to host LVM physical volumes), the other is loop-AES (older,
maintained separately from the Linux kernel tree). Unless you have
compelling reasons to do otherwise, it is recommended to use the
default."
=> What would be the compelling reason here?

http://riseuplabs.org/grimoire/storage/encryption/loop-aes/
-> "Loop-AES is more secure than dm-crypt (and possibly faster),
although it requires a custom kernel module and is more work to
install than dm-crypt."
=> But no justification given regarding the security aspect.

http://mail.nl.linux.org/linux-crypto/2006-02/msg00037.html
-> "Truecrypt, which is also device-mapper based, only very recently
attempted to fix a major security hole which Jari had been warning
people about for some time."
=> As of 2006-02 it was fixed, so there is no problem with Truecrypt.
-> "debian packages for loop-aes do not require a kernel recompile
unless you want to encrypt the root filesystem."
=> Ok, so I need to recompile -_-

http://mail.nl.linux.org/linux-crypto/2006-09/msg00008.html
-> "Both cryptoloop and dm-crypt in kernels prior to 2.6.10 are
vulnerable, and even recent dm-crypt still suffers from a weak crypto
implementation."
=> I will be using 2.6.20, which allows for LRW mode and thus solve
the watermark problem.
-> "dm-crypt... which leaks location of changed data in some unusual
situations."
=> What exactly consists this leak and has it been fixed?




So, what are the current problems of each implementation (if any)?

Thank you.


BTW, this question as been itching me...
Does the act of upgrading the kernel goes without problems and
glitches, or is it "common" to be locked out of the encrypted system
(or even worse, to lose data) when an upgrade goes bad?

-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/



Boardwalk for $500? In 2007? Ha!
Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games.

[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux