On Sun, Jan 4, 2009 at 8:35 AM, M. Thomas Frederiksen <mahasamoot@xxxxxxxxx> wrote: > That's exactly what happened. It never occurred to me that Kubuntu's > crummy setup tool would not detect the same technology that it uses. I > thot it was using "cryptsetup create ..." But the other partitions it > setup are luks... what do they think will happen at next install? I'll > send them a bug report. Unfortunately, there's a very thin line between "my data is safe from theft" and "sh*t, I can't access my data anymore", and I think popular distros are not doing enough to protect the user from crossing that line. >> In that case you're out of luck as long as you don't have a backup of the luks header >> from your old encrypted /home device. >> > Don't the faq's say not to make a backup? Yes, and the logic is solid: access to a luks header makes password revocation futile (for the passwords that were current at the time that header was backed up). But again, it's ultra-paranoid. It's good for the kind of data where "no one else should EVER be able to see this" is far more critical than "this data is important to me and I need *some* insurance against losing it". What percent of people, and what percent of their data, need that level of protection I leave to you to decide. Plus, as you have just discovered with Kubuntu, it implicitly assumes that the installation/configuration/setup is perfect. > Also, if the real key is in the header... how does luks prevent it from being > used w/out the password? It's not stored plain of course -- it's protected by your password, strengthened by schemes like PBKDF2. > Might a future version keep backup headers automatically, in > case of brain dead users, and crummy setup tools? Not the upstream dm-crypt software: it is the job of security software to be ultra-paranoid by default. But distros should do something about this, perhaps as an option at the time of install -- IMO it is *their* job to make the technology usable to different levels of users. --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
