Thanks Moji, That will obviously provide a nice boost in performance over what I was trying! I appreciate your help. Regards, Sam > You do not need to make a filesystem on the intermediate device, because > you treat the devices in /dev/mapper as block devices you can luksFormat > any device that shows up in order to do cascade encryption. You just have > to remember to close them first in last out. > > cryptsetup luksFormat -c aes-xts-plain /dev/sdc > cryptsetup luksOpen /dev/sdc first_layer > cryptsetup luksFormat -c aes-xts-plain /dev/mapper/first_layer > cryptsetup luksOpen /dev/mapper/first second_layer > mkfs.ext2 /dev/mapper/second_layer -m 0 -L "Test" > mount /dev/mapper/second_layer /mnt/usb > umount /mnt/cdrom > cryptsetup luksClose second_layer > cryptsetup luksClose first_layer > > [Of course omit the luksFormat/mkfs lines after the device is created to > open/close the device.] > > I do not know of any vulnerabilities with cascade encryption, it is > normally just excessive, but someone else might. > > I hope that helps you, > > -MJ > > On Sat, 1 Aug 2009 07:39:42 -0400 > > Sam <test532@xxxxxxxxxxxxxxxx> wrote: > > Hi All, > > > > I am wondering if this is a good idea: > > > > encrypt a partition normally with cryptsetup luksFormat (using > > aes-xts-plain), then luksOpen, > > mkfs.ext2 format the device mapper device that appears, > > mount it. > > Then, create a giant file that fills up the partition. > > losetup it that file, > > luksFormat the loop device (using twofish-xts-plain) > > luksOpen it, > > mkfs.ext2 format the device mapper device that appears, > > mount it, > > and use it... > > > > My purpose is that I don't trust AES, but I don't trust twofish enough to > > be sure it is better than AES. > > > > I am paranoid enough that the speed hit is acceptable. > > > > Questions: > > > > 1) is this the best way to achieve my goal with dm-crypt? > > 2) is it secure? Or will somehow it cause my data to be less secure than > > just using one cipher? Or will it somehow defeat the security provided by > > XTS? (i would assume it becoming less secure in any way is impossible, > > but i am not a cryptoanalyst, so i don't want to be assuming such > > things). > > > > I know truecrypt has a feature where you specify the cipher as > > aes-twofish. This is what I wish to achieve, but using dm-crypt. > > > > Regards, > > Sam > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@xxxxxxxx > > http://www.saout.de/mailman/listinfo/dm-crypt > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
