On Wed, May 31, 2006 at 10:20:42AM -0400, Deskin Miller wrote: > Right-- known plaintext attacks, perhaps other weaknesses in the > encryption with just zeros-- to messy to figure out. > > So how about this? We do like they suggest with /dev/zero, but we do > it with a randomly-generated key, which has nothing to do with the key > used to actually encrypt data, and furthermore doesn't need to be > remembered: we throw it away after writing the random (encrypted) > data. > > When the disk is actually mounted, it uses the real key, generated > from a passphrase or some other method, business as usual- the data > written to the drive is still zeros, but with a cryptographic key > which we didn't remember, and aren't using anyway, so with the real > key the data is seemingly random. Is it? I thought that things were encrypted per block. I don't know how this works, so anyone who does please correct me, but my guess would be that using all zeroes would result in a repeating pattern: every block would look the same, wouldn't it? If that is true, then it wouldn't be random at all. Moreover, I still don't get why this is necessary at all. My guess was that you do this to *erase* the not-encrypted data that was on the disk before you installed dm-crypt. So, if the harddisk is brand new, then this is not needed, correct? If however there was un-encrypted data on the disk, then please note that overwriting it with a random pattern won't help. It is possible to (after taking the disk apart, so one would need a laboratory for this-- but there are companies specialized in it) read the magnetic information from the disk in an analogue way. In this analogue signal, you can still see the old data, even after it was overwritten. The easiest would be some kind of picture, say, that was overwritten with noise. By encoding the analogue signal to a new picture, you'd still clearly see the old picture + noise. In order to really wipe a harddisk, you need to overwrite it with different random patterns for like 20 times. There are special programs to do that (search for 'wipe'). Obviously, it DOES take a long time. But you can do it over night. -- Carlo Wood <carlo@xxxxxxxxxx> --------------------------------------------------------------------- - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
