Hi, maybe you should start here: https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions On 02/08/2015 03:06 PM, U.Mutlu wrote: > Hi, > I'm interessted in the inner workings of encrypting block devices > like the encrypted volumes created with the cryptsetup tool. > > Let's say a file of size 200K is stored on an encrypted ext2 filesystem. > How is the enrcyption key applied to it? To sum it up: cryptsetup is independent of the overlying filesystem and does not care about it. It just acts as a "mapper" and creates a new block device which represents plain text data. You can use this device for any purpose of your choice: create a filesystem on it, use it as a LVM Volume, .... > > I guess the password is used only for accessing/mounting the volume, > and the key is only a starting value (ie. a "seed") for the underlying > cipher. You can use a passphrase or a keyfile with cryptsetup LUKS. This key is applied to a key derivation function which derives an intermediate key which is used for decrypting a key slot which contains the actual master-key for decrypting your volume. This key slot or "lock box" concept opens the possibility that several key files or passphrases may unlock the volume. The material which is needed for decrypting the device is located in the LUKS header. See FAQ. > > Since in these cases usually a blockwise operating cipher is used, > that means that the file will be encrypted of course blockwise, > for example in blocks of 32 bytes. Yes, almost. dm-crypt uses a sector size of (correct me if i'm wrong) 512 Byte which means that every sector of 512 Byte gets en/decrypted independently. The encryption of each sector is parameterized by an initialization vector which may be influenced by the logical number of the sector. > > Now the question: are the blocks of that file all encrypted using the > same one key? Or does a kind of "streaming" or HMAC get used for the > subsequent blocks of the file? Well yes and no. Yes, the same key is used for all sectors of the volume and no, dm-crypt does not use HMAC to generate key streams. Just imagine: if you'd like to access the last sector of your volume you'd have to generate the whole key stream which would probably take a long time. cheers Ralf _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
