From: Matti Nykyri <matti.nykyri@iki.fi>
To: "gentoo-user@lists.gentoo.org" <gentoo-user@lists.gentoo.org>
Subject: Re: [gentoo-user] [SOLVED] Running cryptsetup under mdev
Date: Mon, 12 May 2014 10:21:18 +0300 [thread overview]
Message-ID: <59634846-CDC4-46A1-84AC-E2333D261399@iki.fi> (raw)
In-Reply-To: <adc2d4fb-ef5a-4c35-a3bf-15064e3586ce@email.android.com>
On May 7, 2014, at 21:57, "J. Roeleveld" <joost@antarean.org> wrote:
> The create and remove commands with LUKS also require root. They use a session manager in desktop environments to allow users to do it. Sudo with a secure wrapper script might be sufficient for you?
>
> I was wondering. What is the actual reason why cryptsetup has a LUKS and non-LUKS set of options?
Well that is of course to let you have the control over how the encryption is done.
In the kernel point of view the disk encryption is just bare encryption with the given parameters. These include the cipher (AES etc), the mode (CBC, CTR etc) and Initialization Vector (IV) creation (ESSIV etc) and last but not least the key that is used with the cipher. Now without LUKS cryptsetup just sets these parameters and you have to provide them each time to cryptsetup when you are using your encrypted volume.
With LUKS cryptsetup will store all these parameters in a binary format. By default this binary data is stored at the beginning of the disk. Kernel then only uses the remaining disk space for encryption. The binary data at the beginning of the disk is not encrypted because the setup would the be unreadable.
When you setup a LUKS partition, cryptsetup creates a random key used for encryption the partition. Using a random key for disk encryption is an absolute MUST! A hash of this key is stored in binary data to do key verification. By default a 128k salt is created for each password you wish to use to access the disk (anti forensics). The disk key is then encrypted with the salt and the password. The salt and the encrypted key is stored in the binary data.
If the salt is lost, the disk key is lost and recovery of your data is virtually impossible with only your password. With only the password it is impossible to decrypt the disk. If you have a backup of the disk key, with that key you can decrypt the disk without the password.
All the steps done by LUKS are necessary for a proper disk encryption! If you do not use LUKS you need to write your own software to do the necessary steps! Cryptsetup without LUKS uses just a plain hash function without a salt to derive disk key from your password. The entropy in this kind of key creation is not nearly enough for secure disk encryption!
Unless you know what you are doing use LUKS.
--
-Matti
next prev parent reply other threads:[~2014-05-12 7:21 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-06 18:31 [gentoo-user] Problems with loop-aes Walter Dnes
2014-05-06 18:45 ` J. Roeleveld
2014-05-06 21:34 ` Walter Dnes
2014-05-07 6:11 ` J. Roeleveld
2014-05-07 18:11 ` [gentoo-user] [SOLVED] Running cryptsetup under mdev Walter Dnes
2014-05-07 18:57 ` J. Roeleveld
2014-05-08 10:36 ` Andrew Savchenko
2014-05-12 6:51 ` J. Roeleveld
2014-05-12 7:21 ` Matti Nykyri [this message]
2014-05-12 7:24 ` Matti Nykyri
2014-05-06 21:50 ` [gentoo-user] Problems with loop-aes Alon Bar-Lev
2014-05-07 4:36 ` Walter Dnes
2014-05-07 6:48 ` Alon Bar-Lev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59634846-CDC4-46A1-84AC-E2333D261399@iki.fi \
--to=matti.nykyri@iki.fi \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox