Re: plain: opening with a wrong password

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Milan Broz wrote, On 02/08/2015 10:55 AM:
On 02/08/2015 10:23 AM, Arno Wagner wrote:
On Sun, Feb 08, 2015 at 09:19:54 CET, Heinz Diehl wrote:

Form a purely practical perspective, the difference usually negligible.
Wile plain dm-crypt mounting fails at the mount-stage due to wrong
filesystem signatures, LUKS mounting fails at the decrypt stage.

Beware, there are some combinations of the encryption mode + IV which decrypts
the first block correctly in both cases, so fs returns correct signature
but fs is obviously corrupted... if you are not lucky, fsck will run
and breaks the fs irrecoverably...

This cannot happen with LUKS.

See here that the ext3 device created with ESSIV still have visible signature
with plain IV:

# echo "password" | cryptsetup create -c aes-cbc-essiv:sha256 -s 256 x /dev/sdb
# mkfs -t ext3 -q /dev/mapper/x
# blkid -p /dev/mapper/x
/dev/mapper/x: UUID="f46ba5d8-8c26-4589-ac09-cb0829f2804f" SEC_TYPE="ext2" VERSION="1.0" TYPE="ext3" USAGE="filesystem"

... use fs
# cryptsetup close x

And now thy mistake with plain IV:

# echo "password" | cryptsetup create -c aes-cbc-plain -s 256 x /dev/sdb
# blkid -p /dev/mapper/x
/dev/mapper/x: UUID="f46ba5d8-8c26-4589-ac09-cb0829f2804f" SEC_TYPE="ext2" VERSION="1.0" TYPE="ext3" USAGE="filesystem"

# mount /dev/mapper/x /mnt/tst
mount: wrong fs type, bad option, bad superblock on /dev/mapper/x,
        missing codepage or helper program, or other error
...

DO NOT use plain mode if you are not sure what you are doing. Really.

There is a detached LUKS header which is better, the issues I mentioned in man
about detached header page are side problems, nothing serious for most users.
(But obviously depends on your threat model.)

Milan

But isn't it just saying that the mount cannot be done
because something is wrong, ie. wrong/incomplete cipher param was given?

What happens if you repeat the whole with the correct params?

And, should one not use "/dev/sdb1" etc. instead of "/dev/sdb"?

--
cu
Uenal


_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt




[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux