miscellaneous dm-crypt/LUKS/cryptsetup questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi.
I'd have a number of questions regarding dm-crypt/LUKS/cryptsetup and would be happy if some of them could be answered :)
1) With LUKS there's a master key (the one which is decrypted via the key-slot-keys and that's actually used to decrypt the payload data). 
How is it generated? Via /dev/random or /dev/urandom?
2) They key-files specified via --key-file when creating LUKS volume or adding a new key... is it directly used as the master-key-encrypting key or is it somehow hashed and the result is used for the actual encryption? And as a follow-up,.. does it need to have a special size, related to the used cipher/mode, or can it be e.g. 1 MB and is simply hashed?
3) Which cipher/mode is the "most secure" one? Perhaps with the restriction that AES should be used? 
Currently I always use aes-xts-plain.
AFAIK lrw is "borken" or has at least some design issues which is why xts was developed, right? 
Or is something different better?
Should one use plain with xts or better essiv or even benbi? From what I understood how XTS works is, that plain should be just fine and essiv/benbi should give no additional security, right?
I guess "best" is to use AES with 256 bits, right? How large has the key to be then? I've read somewhere that one needs actually 512 bits then for use with XTS. 


4) Is the master key only stored at one place on the disk, or at multiple?
Imagine I have some severe disk errors, and the LUKS header is completely lost... is the dump as created by luksHeaderBackup enough the get decryption working again?
5) I guess it's still true that one should (for security reasons) fill the disk with random data before creating the LUKS volume, right? 
I guess this is also true, when using SSDs, at least when not using TRIM?
May I suggest that you add a feature to cryptsetup, that when doing a luksFormat, the disk is automatically filled with random data, and an additional switch to disable it (I guess the default should be to do the filling, although it's time consuming... I mean we do the whole crpyt-thingy for our paranoia ;) ).
6) Are there plans to at LABEL soupport to the LUKS volumes? I mean UUID is already there... 


Thanks so far,
Chris.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux