On Sun, Mar 09, 2008 at 06:05:15PM +0100, Clemens Fruhwirth wrote: > LUKS is about delivering save-as-you-can-get encryption for _regular_ > user passphrases like: "hello","123","tim". When you have an entropy > rich key, use "cryptsetup create". Or even better, use dmsetup. It > supports hex keys directly. > > Also hashing should not weaken your password, so I don't get the > reason why you want to avoid it. (IIRC, SHA1 is no universal hash, but it > should be good enough for pratical purposes). I've considered that. "cryptsetup create" is incompatible with LUKS format and loses some of its advantages. dmsetup is awkward to use directly because I'd have to roll my own initramfs and make sure the key doesn't get written or displayed anywhere. Based on my reading of the source code, hashing as it is implemented in cryptsetup would wastefully weaken a 64 digit key by truncating it first, even if the algorithm thereafter were perfectly secure. Moreover, since hex format character strings are a subset of general passphrases, it stands to reason that the hash might map them to a subset of the key space. (disclaimer: I"m not a cryptologist.) I'm not suggesting that anyone should be forced to use hex keys. Dennis --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
