On Sat, Aug 05, 2006 at 06:30:43PM +0200, Absolon wrote: > >I don't know about the "single point of failure" part when there is > >possibility to avoid the problem (backups and keeping your LUKS header a > >RAID). However I do agree that this issue is overlooked in the general > >documentation. [...] > I don't consider the dd option to be a safe way. There is no way to > determine that the output from dd is really the luks-header, is > there? You can check if the drive is a luks-drive but you can't > verify that the data you get from dd is a correct one. That is only a problem if you use dd wrongly. Any experienced UNIX admin should not be troubled by this. > Of course, you can argue that since the header is in that particular > place it must be the header, but I think it's too much of a > hacker-solution then a real solution for a serious production > environment. You think so? Well, I don't. It is typical Unix solution. It works well, provided you know what you are doing. Come to think of it you need to know what you are doing anyways for reliable operation. And of course this would be scripted as part of the backup, which makes it even more reliable. > And after reading the mailing list there seems that the > problem with a damanged header isn't an uncommon event. > Having the header with just one copy on the disk is a very high risk > solution. If you look at for instance Sun's raid/mirror solutions > you can save like 10 backups of the important metadata for "just in > case". Well, I think having backups of the metadata is a good idea. On the other hand Linux software RAID does without backup, and I have not heard of problems with lost metadata for that so far. Of course the RAID superblocks are stored at the _end_ of the device, so overwriting it accidentially is pretty hard. Maybe add an optional backup copy of the LUKS header to the end of the device? Of course this does not protect from user error... Arno -- Arno Wagner, Dipl. Inform., CISSP --- CSG, ETH Zurich, wagner@xxxxxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans Windows is the "under-3" toy of the OS world. -- Matthew D. Fuller --------------------------------------------------------------------- - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
