-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 31.10.2011 08:18, schrieb Arno Wagner: > In addition, any kind of automatic header backup breaks the LUKS > security model and needs to come with a very clear warning if > automatized (as in an installer). The problem is that old > passphrases will be stored and will survive deletion in the active > LUKS header. That is not good at all. While I agree with you, that cryptsetup already does a lot to prevent data (i.e. header) loss, I don't see a reason why (optional) header backup at some random place on the device would be such a big security problem. For sure the exact place of backup header would be stored in the first header, and any cryptsetup action which changes/whipes (parts of) the header, would need to do this for the backup header as well. Overwriting the first kbytes of device would no longer be sufficient. Instead overwriting the header would require to actually overwrite both first and backup header. But that's the only drawback I can see so far. I guess that I missed something important. Greetings, jonas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOrx6UAAoJEFJi5/9JEEn+rIEQAILZUrOjqRp9mVh7njfux7Vb 6BUu2dHMyL+gLbszh8igR40UCxVh2UFfH1PSSU48wrd/IX8XYBy2YqMF0QQVyHPC /dtExqdC31XZdA7eS8UrVGW3imkCB0XSnVkWPcV14SdyLO7ormMIMme3fi8TaJQk 7n0WJ6k3c613SV3BnDCut0940k/Q8NmCtKNqFyTU0ZKgfE6gYkf57n+DQgqOfFzi 3tftq4zpZgORxXU5aTGE9IFGM63T3ZpfJQTYOXt7Hez4EpnX6ly1QQO3JkknYHwr 51tXKsWceMVVY92NdUxQZ6WWUfKrLUdZNPy6TL/ZG7bviSj36OFcpQkYP4lxfrD+ hWVObY1R6kt73UcCZNRYSJYtl4q5BSxI61i0k/PecDjEfZmE6lZlIjKS2XNzh6O4 jsfd9JXZ9n/R7RCiG1BRdTET8MDxnM//Q5Iqes84ume8yuLInP4AP50/uxg1e3SL UZ0+nlDofRd/cMtse92ggFbw8ZuHQtNV1TKU5dbFLXxaei1ymadT/fmdXSFHBlCQ Qex1FrDxnBYMEtnZaR5Md5huVwQSb6+LvToSVjeZ53spq+JPp8HXFo0HCCEDwuPE 1j562nElqYfRkXPohGr2QkVvy2lze2tnJpk9ocPfy1gsokY/cyh6y01DWOz9JdA6 rAmoNpPLdd+E4taTu3ZM =BQD4 -----END PGP SIGNATURE----- _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
