Am Freitag, 1. Mai 2015, 15:30:36 schrieb Herbert Xu: Hi Herbert, > >So who is doing the encrypting/decrypting in this case? The steps from entering the password until having the full dm-crypt partition mounted are, assuming that in my example, we use AES256-CBC as cipher: 1. libcryptsetup: asks for the user's password 2. libcryptsetup/libgcrypt perform PBKDF to obtain key P 3. libcryptsetup: create a dm-crypt mapping of the LUKS header with AES256- CBC(P) 4. libcryptsetup: mount the dm-crypt mapping and read out the master volume key M 4a. kernel: perform en/decryption of LUKS header with AES256-CBC for the read/write operations of libcryptsetup 5. libcryptsetup: unmount of dm-crypt mapping 6. libcryptsetup: destroy dm-crypt mapping and forget P 7. libcryptsetup: create dm-crypt mapping of the disk encryption container holding the user data using AES256-CBC(M) -- this starts at the offset where the LUKS header ends 8. somebody calls mount to mount the created dm-crypt mapping 9: kernel: perform AES256-CBC operation for subsequent operations on mounted dm-crypt mapping My idea would be to use keywrap in step 3. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
