Thanks for the reply!
With regards to the multiple containers, the configuration I'd run
across was one container per partition, with the key for each stored in
/. When the system was booted, the passphrase was entered, and each
partition's container opened and mounted automatically.
On 19/02/2011, Arno Wagner wrote:
I typically randomise my block device before creating a LUKS container
on it. Option 2 would seem to reduce the effectiveness of this because
LVM will give clues to where real data might be.
I don't follow. That encrypted data is present is obvious from
the LUKS header. What is in the container(s) is as opaque in
(1) as it is in (2), given that cryptographically strong
randomness is used for the overwrite (I use plain dm-crypt
with a random password and overwrite with conventional,
mt19997-generated randomness).
I meant not that the data protection of one was better than the other,
but rather in (2) LVM will store in plain-text both the start and end
offset of the partition. So perhaps an attacker would have a better idea
of where data is. Comparing knowing the partition starts at X and ends
at Y, there is probably some encrypted data in there somewhere, versus a
giant container with no indication of structure (could be encrypted data
or could be random garbage).
Thanks,
Eric
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
