On Sun, Feb 20, 2011 at 01:01:18AM +1100, Eric Bauman wrote: > On 19/02/2011, Arno Wagner wrote: >> Also, knowing were the encrypted >> data is does not help the attacker, unless he/she can repeatedly >> access the computer. In that case, all is luikely lost anyways. > Forgive my ignorance, some sources say suggest randomising the disk > before creating a container so that it's not possible to determine what > is data and what is garbage. So I assumed the visible LVM header would > reduce some of this benefit. Is there merit to this disk randomisation > or does it just sound good but do nothing, spread by misinformed people > such as myself? :) There is one merits to randomisation with crytographically strong randomness: An attacker cannto tell how much data is in a crypto container and where exactly it is. It is conceivable that without ramdomisation an attacker could guess the filesystem, the size of some files and the overall data size. That is typically hard to do, limited to 512 byte (sector size) or 4096 byte (filesystem block size) precision and the information gained in the worst case is not a lot. Side note: The LVM header only describes the size of the container, not where exactly the data is. Container-size is typically not information that helps the attacker at all. There is a second benefit to overwriting: You make sure no old data is retained. So, while not absolutely critical, it is good practice to overwrite with crypto-randomness. Except in special cases, you do not need to obfuscate the size of partitions or containers, i.e. the attacker can have access to LVM/LUKS/RAID headers and superblocks without negative effect on security. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
