Hi Hendrik,
The protability of the on disk format includes, that I can basicly
reimplement cryptsetup from scratch, without relying on the current
status quo. Moreover I even don't need to use kernel crypto stuff at all
to i.e. create a decrypted image of the data.
Your HSM specific changes would be tied into cryptsetup, but if I
followed the current specification, and had the corresponding HSM, I
still would need the 'specifics' regarding the HSM and how to use it, to
set up the actual mapping.
If you got some spare time:
https://mbroz.fedorapeople.org/talks/DevConf2016/devconf2016-luks2.pdf
If the new format comes to life and allows for plugins, then if I
reimplemented cryptsetup and had no suiting plugin for a HSM or say a
cryptocard or whatever, I can not setup the mapping. But I'd know that I
am prone to fail, since I lack the plugin I am supposed to use.
Now, in contrast, if you hack the HSM supprt into cryptsetup, there's no
on disk indication and that is not really portable anymore.
Regards
-Sven
Am 27.04.2017 um 17:09 schrieb Hendrik Brueckner:
Hi Milan,
LUKS1 is portable format, we cannot bind the format to specific hardware.
We considered that point in the merge request. It keeps LUKS1 as a
portable format, there are no changes on the LUKS1 format or header.
Of course, there are some differences when using wrapped keys, but these
have been addressed without affecting the on-disk-format structure.
Thanks and kind regards,
Hendrik
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt