On Sun, Sep 09, 2012 at 10:45:18AM +0200, Milan Broz wrote: > On 09/09/2012 12:45 AM, Matthias Schniedermeyer wrote: > > On 08.09.2012 22:02, Arno Wagner wrote: > >> > >> You can have up to 8 with LUKS. Each gets it own key-slot. > >> Unfortunately, the key-slot with the highest risk to get > >> damaged is the first one and that is where a single passphrase > >> ends up in if you do not override the placement default. > > If most of installation it uses only the first slot, you can hardly > notice that other (unused) were corrupted as well :) > > Most of programs formatting data today (mkfs, mkswap, lvm, mdadm...) > wipes more data, usually at least the first 4KB. > > (mkswap should warn if it detects other signature, it is already > using libblkid. In fact I thought it was fixed years ago...) I think the OP sees a old swap signature that was not wiped by a very old cryptsetup. Hmm. Come to think of it, could that signature have served to make some broken script auto-detect the LUKS container as swap? If the Ubuntu life-CD though here was some nice space to use as swap, it could have mangled the keyslot. > > If that happens so often, why not change the default and place the first > > key in slot 8? > > (Assuming that can be done without significant compatibility issues) > > No, this is just hiding problem. > So it will be corrupted after first swap use (in this case)... Indeed. Makes things even harder to diagnose. The proper way is for others to check for possible signatures and warn. Unfortunately we have no way of ensuring that. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt