On Mon, Jul 08, 2019 at 18:53:05 CEST, Milan Broz wrote: > On 08/07/2019 18:14, Maksim Fomin wrote: > > > I am using disk encryption with cryptsetup utility in plain mode for > > some time. Whenever discussion of choice between LUKS and plain mode > > pops up (distro discussion, boot loader support, filesystem) plain > > mode is characterized as something which should be avoided (I have > > read the FAQ and my question is not about information contained in > > it). For example, grub team rejected patches for supporting plain > > mode (and other features like detached LUKS header) because it was > > considered as a "bad" feature (to be precise, the objection of grub > > team was that in grub v2 'grub-install' should autodetect everything > > which is impossible for plain mode). > > > > My question is folows: will dm-crypt and cryptsetup support plain > > mode encryption in future years? My question may sound somewhat > > extreme, but in recent years there were cases when big open software > > projects eliminated significant features and some portion of their > > user base. > The "plain" mode is just direct wrapper around dm-crypt. The only > difference is if keyfile (in cryptsetup) is not used, the volume key is > directly derived from a password (that is not a good practice). > > If you use randomly generated keyfile and the same encryption algorithm is > used, then there is really no "security" difference comparing to LUKS, > except usability (in the plain mode you have to maintain all parameters, > in LUKS the header metadata solves it for you). > > The plain mode is not going to be removed from cryptsetup (as long as I am > the maintainer :), maybe we will have to change default encryption > algorithm parameters though (you can always overwrite it using command > line switches). > > Milan Plain mode definitely has its uses. Whenever you put in a real encryption key or a high-quality passphrase, there are no security issues with plain mode and you avoid a lot of overhead while mapping the container. It is something to use only when you know what you are doing, but it is easy to use in that case and definitely worthwile to have. Hence I fully support the decision to keep it in. I do have to say that I think there is a dangerous tendency in the Linux community lately with some teams prioritizing their own view of how things should be used and ignoring what their users actually could use. This is a mind-set from the Windows world, where doing anything the developers did not envision is exceptionally hard. It does not fit the UNIX philosophy at all, but I guess it was unavoidable with Linux becomming more important. Regards, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
