On Fri, Dec 13, 2019 at 19:54:48 CET, Chris Murphy wrote: > On Fri, Dec 13, 2019 at 7:59 AM Milan Broz <gmazyland@xxxxxxxxx> wrote: > > > > Hi, > > > > On 07/12/2019 00:10, Chris Murphy wrote: > > > I'm wondering if it's possible, or LUKS2 could be extended, to support > > > an non-encrypted target. That is, the virtual device and backing > > > device would contain the same information. > > > > (You are not the first one asking for support for this option.) > > > > In fact, the support is already there. But I am reluctant to officially > > support it for a very long time, because it would be super confusing > > for users (We have LUKS, but actually no encryption?!) > > I agree there is potential for confusion. And it might be out of scope for LUKS. > > When I do: > # blkid > > I see a partition is TYPE="crypto_LUKS" and that's a fairly difficult > statement of fact to overcome with a "yeah but it really isn't crypto, > you should have run this other command that would tell you that". > > There is a valid argument that the crypto_LUKS signature should be > trusted to mean the contents are in fact ciphertext,, and not > pseudo-ciphertext trivially unlocked. Very much so. Security is hard enough if KISS is used everywhere. When KISS is violated, things become impossible to understand and manage. Most successful engineering these days is not only smart people doing things, it is smart people with a lot of experience following KISS and hence actually understanding what they are doing. Regards, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt