On Sun, Jan 04, 2009 at 10:05:37AM +0700, M. Thomas Frederiksen wrote: [...] > Don't the faq's say not to make a backup? I think so. However that is mainly to prevent a situation where you revoke/change a passphrase/key because it has been compromised and the backup is still there and allows access. For installation or if you can reliably erase it when you change passphrases, a backup is ok from a security POV. Since overwriting the header removes all possibility to get at the data again, a backup is very much recommended when you do installation tasks that may involve the encrypted partition. > Also, if the real key is in > the header... how does luks prevent it from being used w/out the > password? Simple: It is encrypted with the passphrase. > Might a future version keep backup headers automatically, in > case of brain dead users, and crummy setup tools? Unlikely, as you have to know what you are doing with backup or you can kill your security. Also there is the little problem that an "install over it" would also install oiver the backup, if it was automatic. As for non-automatic backups, I think there is a srcipt somewere that does them. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
