On 21.5.2013 15:58, Ralf Ramsauer wrote: > Arno, your objections are legitimate.Though I think that authenticity > would be a nice feature to dm-crypt. > And i also think, that it *could* be realisable. ... And you are not the first thinking about this :-) We even talked about using GCM mode (around 2011) but unfortunately student interested in some proof-of-concept implementation for dmcrypt abandoned this project. (Maybe time for another try...) Whatever, there are at least three basic concepts: - one said, this should be done on higher level (where you know which sectors contains real data - e.g. btrfs) - second, which prefers separation of integrity and encryption (see e.g. dm-integrity patches on dm-devel or dm-verity for read-only) (You can stack integrity above dmcrypt.) - and the third, using auth mode directly in dm-crypt Here I would prefer to have some "standardised" on-disk layout for auth tag. There are several approaches. (Some would work better with non-rotational media, some are more problematic.) (If you don't mind losing half of the disk space, you can internaly use 1+1 sector (wasting second sector just for auth tag) and play with disk limits/topology and sector size. This would work nicely even for rotational media. (Storing more tags in one sector is just slightly more complicated, but it adds more risk for data corruption if write fails during powerfail or so.) I am not sure how much useful is using authenticated encyption for real applications, but as my former colleague would say - please send a patch :-) Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
