On Wed, Feb 12, 2014 at 17:10:40 CET, Milan Broz wrote: > On 02/12/2014 03:30 PM, Thomas Bächler wrote: > > Am 12.02.2014 15:19, schrieb Arno Wagner: > >> -h is the hash that the plain-text password is put through > >> to turn it into a binary value of certain defined length. > >> -c specifies the hash that goes into pbkdf2 for the hash > >> iteration. > > > > Are you sure? > > > > I was under the impression that '-c' only affects the cipher parameter > > passed to dm-crypt - a hash would then be relevant for cipher modes like > > cbc-essiv, but xts-plain64 would ignore it. Thus, cryptsetup has default > > like 'aes-cbc-essiv:sha256', since essiv needs a hash, and > > aes-xts-plain64, since xts does not need a hash. > > > > According to the manpage, -h is what is used in PBKDF2 in luksFormat > > mode, or to hash the passphrase in plain mode. > > Yes, this is correct. The -h parameter is for LUKS header (PBKDF2 + AF splitter). > For plain mode it means algorithm to use when hashing password. > > For -c it is cipher/mode for kernel dmcrypt (if there is a IV spec which requires > hash like ESSIV, then it contains hashspec as parameter). > > Milan Just added clarifications for -c and -h to the man-page. That I was confused about their meaning shows that it was not clear enough ;-) Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. - Plato _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
