I have been very happily using dm-crypt + cryptsetup
(thank you) for some time and assuming I should
upgrade to cryptsetup-LUKS.
However, after reading up lots of web pages, I no
longer feel this is as urgent as I thought. My
reasoning is based on the summary below.
Are these points fair, or based on mistakes?
Advantages:
1. better encryption - but this seems less of a
concern with a sufficiently good passphrase
(i.e. long, not composed of dictionary words,
etc.) if you are not worried about watermark
attacks (which seem a relatively limited
threat)
2. can change password w/o backing up and
re-encrypting entire partition (very good, but
a procedure rarely needed here)
Disadvantages:
1. If the sector(s?) containing the encrypted
master key is damaged, it's impossible to
recover any data from the partition (yes, this
may be an unusual and of course you should have
backups, etc.)
2. A related point: it looks uncomfortably easy
to run cryptsetup luksDelKey - e.g., I can
imagine situations where you might want to
revoke a passphrase you don't know but I
would expect it to verify that you know one
of the remaining ones. This wouldn't be unduly
limiting: after all, if you know none of the
passphrases you can still do a dd or shred or
whatever to wipe the whole partition.
Thanks,
Mike
---------------------------------------------------------------------
- http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
