Getting past spam filter, attempt 3. On Sun, Aug 2, 2009 at 11:20 AM, Roscoe<eocsor@xxxxxxxxx> wrote: > FWIW I wouldn't forget about Serpent, which came 2nd in the AES > selection process. > > From Practical Cryptography, by Niels Ferguson and Bruce Schneier: > "If you are paranoid about the security of your data, and speed is > not important, then you should choose Seprent. During the AES process, > every serious cryptographer agreed that Serpent was the most secure > (or most conservative) of the submissions" > > -- Roscoe > > On Sun, Aug 2, 2009 at 12:48 AM, Sam<test532@xxxxxxxxxxxxxxxx> wrote: >> Thanks Moji, >> >> That will obviously provide a nice boost in performance over what I was >> trying! I appreciate your help. >> >> Regards, >> Sam >> >>> You do not need to make a filesystem on the intermediate device, because >>> you treat the devices in /dev/mapper as block devices you can luksFormat >>> any device that shows up in order to do cascade encryption. You just have >>> to remember to close them first in last out. >>> >>> cryptsetup luksFormat -c aes-xts-plain /dev/sdc >>> cryptsetup luksOpen /dev/sdc first_layer >>> cryptsetup luksFormat -c aes-xts-plain /dev/mapper/first_layer >>> cryptsetup luksOpen /dev/mapper/first second_layer >>> mkfs.ext2 /dev/mapper/second_layer -m 0 -L "Test" >>> mount /dev/mapper/second_layer /mnt/usb >>> umount /mnt/cdrom >>> cryptsetup luksClose second_layer >>> cryptsetup luksClose first_layer >>> >>> [Of course omit the luksFormat/mkfs lines after the device is created to >>> open/close the device.] >>> >>> I do not know of any vulnerabilities with cascade encryption, it is >>> normally just excessive, but someone else might. >>> >>> I hope that helps you, >>> >>> -MJ >>> >>> On Sat, 1 Aug 2009 07:39:42 -0400 >>> >>> Sam <test532@xxxxxxxxxxxxxxxx> wrote: >>> > Hi All, >>> > >>> > I am wondering if this is a good idea: >>> > >>> > encrypt a partition normally with cryptsetup luksFormat (using >>> > aes-xts-plain), then luksOpen, >>> > mkfs.ext2 format the device mapper device that appears, >>> > mount it. >>> > Then, create a giant file that fills up the partition. >>> > losetup it that file, >>> > luksFormat the loop device (using twofish-xts-plain) >>> > luksOpen it, >>> > mkfs.ext2 format the device mapper device that appears, >>> > mount it, >>> > and use it... >>> > >>> > My purpose is that I don't trust AES, but I don't trust twofish enough to >>> > be sure it is better than AES. >>> > >>> > I am paranoid enough that the speed hit is acceptable. >>> > >>> > Questions: >>> > >>> > 1) is this the best way to achieve my goal with dm-crypt? >>> > 2) is it secure? Or will somehow it cause my data to be less secure than >>> > just using one cipher? Or will it somehow defeat the security provided by >>> > XTS? (i would assume it becoming less secure in any way is impossible, >>> > but i am not a cryptoanalyst, so i don't want to be assuming such >>> > things). >>> > >>> > I know truecrypt has a feature where you specify the cipher as >>> > aes-twofish. This is what I wish to achieve, but using dm-crypt. >>> > >>> > Regards, >>> > Sam >>> > _______________________________________________ >>> > dm-crypt mailing list >>> > dm-crypt@xxxxxxxx >>> > http://www.saout.de/mailman/listinfo/dm-crypt >>> >>> _______________________________________________ >>> dm-crypt mailing list >>> dm-crypt@xxxxxxxx >>> http://www.saout.de/mailman/listinfo/dm-crypt >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@xxxxxxxx >> http://www.saout.de/mailman/listinfo/dm-crypt >> > _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
