Hi.
I'd have a number of questions regarding dm-crypt/LUKS/cryptsetup and
would be happy if some of them could be answered :)
1) With LUKS there's a master key (the one which is decrypted via the
key-slot-keys and that's actually used to decrypt the payload data).
How is it generated? Via /dev/random or /dev/urandom?
2) They key-files specified via --key-file when creating LUKS volume
or adding a new key... is it directly used as the
master-key-encrypting key or is it somehow hashed and the result is
used for the actual encryption?
And as a follow-up,.. does it need to have a special size, related to
the used cipher/mode, or can it be e.g. 1 MB and is simply hashed?
3) Which cipher/mode is the "most secure" one? Perhaps with the
restriction that AES should be used?
Currently I always use aes-xts-plain.
AFAIK lrw is "borken" or has at least some design issues which is why
xts was developed, right?
Or is something different better?
Should one use plain with xts or better essiv or even benbi? From what
I understood how XTS works is, that plain should be just fine and
essiv/benbi should give no additional security, right?
I guess "best" is to use AES with 256 bits, right? How large has the
key to be then? I've read somewhere that one needs actually 512 bits
then for use with XTS.
4) Is the master key only stored at one place on the disk, or at multiple?
Imagine I have some severe disk errors, and the LUKS header is
completely lost... is the dump as created by luksHeaderBackup enough
the get decryption working again?
5) I guess it's still true that one should (for security reasons) fill
the disk with random data before creating the LUKS volume, right?
I guess this is also true, when using SSDs, at least when not using TRIM?
May I suggest that you add a feature to cryptsetup, that when doing a
luksFormat, the disk is automatically filled with random data, and an
additional switch to disable it (I guess the default should be to do
the filling, although it's time consuming... I mean we do the whole
crpyt-thingy for our paranoia ;) ).
6) Are there plans to at LABEL soupport to the LUKS volumes? I mean
UUID is already there...
Thanks so far,
Chris.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt