On 13/11/2019 16:15, mgreger@xxxxxxxxxxxx wrote:
1) Should it be possible to use a detached header and --integrity options to cryptsetup at the same time? When I try, I get a message 'No integrity superblock detected on header.'
The current design is that integrity metadata will stay on the data device (even with detached LUKS header), and these are not encrypted (encryption is not implemented, but has some support in the kernel). So with the current code, we are not going to support the detached header for authenticated encryption (integrity protection), we should fix the code to explicitly print a warning about it. (The message above is misleading.) There is still note about --integrity option being experimental, and it stays this way some time... (Maybe forever, if we find that the model that allows reply attacks on the sector level is just inadequate.) Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
