Re: different default key sizes for CREATE and LUKSFORMAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am not sure this really is a security issue. It may confuse users,
but they will still be secure. Most probably use defaults anyways.

But if we change this, I propose to make aes-cbc-essiv:sha256
the default for plain dm-crypt and to increase LUKS key length 
to 256 bits as well. The performance loss is apparently very 
small (10% or so).

Arno


On Wed, Nov 18, 2009 at 11:01:18AM +0100, Stefan Xenon wrote:
> If the reason is historically only, it might be a kind of security issue
> (low priority) because this behaviour could result in wrong expectations
> of users on the system regarding the default key size. A user who learns
> that the default key size (using "create") is 256 bit but uses
> "luksFormat" (which uses 128 bit) instead, may be misleaded. Therefore
> it may be better to harmonize both default values.
> 
> Stefan
> 
> 
> Arno Wagner schrieb:
> > "create" is plain dm-crypt, luskFormat is creation of
> > a LUKS header. I suspect the reason is historical, as
> > these are two different encryption systems.
> > 
> > Arno
> > 
> > 
> > 
> > On Tue, Nov 17, 2009 at 11:45:40PM +0100, Stefan Xenon wrote:
> >> Hi!
> >> In the man page for cryptsetup is written regarding the option --key-size :
> >>
> >> "Can be used for create or luksFormat,  all
> >> other  LUKS  actions  will  ignore this flag, as the key-size is
> >> specified by the partition header. Default is 128 for luksFormat
> >> and 256 for create."
> >>
> >> I am wondering what is the reason for two different default key sizes?
> >>
> >> Thanks
> >> Stefan
> >>
> >> _______________________________________________
> >> dm-crypt mailing list
> >> dm-crypt@xxxxxxxx
> >> http://www.saout.de/mailman/listinfo/dm-crypt
> >>
> > 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux