On Sun, Feb 08, 2015 at 10:55:35 CET, Milan Broz wrote: > On 02/08/2015 10:23 AM, Arno Wagner wrote: > > On Sun, Feb 08, 2015 at 09:19:54 CET, Heinz Diehl wrote: > > > Form a purely practical perspective, the difference usually negligible. > > Wile plain dm-crypt mounting fails at the mount-stage due to wrong > > filesystem signatures, LUKS mounting fails at the decrypt stage. > > Beware, there are some combinations of the encryption mode + IV which decrypts > the first block correctly in both cases, so fs returns correct signature > but fs is obviously corrupted... if you are not lucky, fsck will run > and breaks the fs irrecoverably... Indeed. My comments only apply to wrong key, they do _not_ apply to wrong other parameters! > This cannot happen with LUKS. > > See here that the ext3 device created with ESSIV still have visible signature > with plain IV: > > # echo "password" | cryptsetup create -c aes-cbc-essiv:sha256 -s 256 x /dev/sdb > # mkfs -t ext3 -q /dev/mapper/x > # blkid -p /dev/mapper/x > /dev/mapper/x: UUID="f46ba5d8-8c26-4589-ac09-cb0829f2804f" SEC_TYPE="ext2" VERSION="1.0" TYPE="ext3" USAGE="filesystem" > > ... use fs > # cryptsetup close x > > And now thy mistake with plain IV: > > # echo "password" | cryptsetup create -c aes-cbc-plain -s 256 x /dev/sdb > # blkid -p /dev/mapper/x > /dev/mapper/x: UUID="f46ba5d8-8c26-4589-ac09-cb0829f2804f" SEC_TYPE="ext2" VERSION="1.0" TYPE="ext3" USAGE="filesystem" > > # mount /dev/mapper/x /mnt/tst > mount: wrong fs type, bad option, bad superblock on /dev/mapper/x, > missing codepage or helper program, or other error > ... > > DO NOT use plain mode if you are not sure what you are doing. Really. I second that! Arno > There is a detached LUKS header which is better, the issues I mentioned in > man about detached header page are side problems, nothing serious for most > users. (But obviously depends on your threat model.) > > Milan > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
