[linux-lvm] RFC: DM encryption target?
jon+lvm at silicide.dk
jon+lvm at silicide.dk
Fri Sep 26 07:50:02 UTC 2003
On Thu, Sep 25, 2003 at 06:07:58PM +0200, Christophe Saout wrote:
> Am Mi, den 24.09.2003 schrieb Goetz Bock um 16:21:
>
> > > Another way to do a password change would be to not reencrypt the device
> > > but to store the symmetrical key somewhere else and encrypt it with a
> > > password hash and to just reencrypt that key with another password.
> > That would be nice, just use the first block for the key (giving you
> > 512byte keysize, and you can generate a realy strong key[*]).
> >
> > Just in idea.
> >
> > [*] yes, i know it's only as strong as the user's password.
> > Security is only as good as it's weekest link, and in the end
> > that's always the user.
>
> I don't know, but couldn't the use of a one-sector block slow things
> down because of alignment issues? Perhaps using a 4k block would be more
> useful or storing the sector at the end of the device (like the linux
> raid info sector).
maybe, but does it matter? You only read the sector once, when you "open"
the device, and write to it when you change password. During use, the real
key is stored in memory, like any other encryption device.
> I think that 512 bytes / 4096 bits should really be enough to store the
> keys.
>
> I could store the data in a simple text format, starting with a magic
> header. Something like:
>
> #CrYpT
> version = 1
> cipher = "aes"
> mode = "cbc"
> keysize = 256
> pwdsalt = "0e3a5b4c"
> pwdhash = "md5"
> pwdenc = "3des"
> key = "8e3eb...blabla..."
> hash = "23e4f"
> node = "/dev/mapper/crypt"
> offset = ...useful?
> size = ...useful?
this could be usefull
> I'm really no crypto expert, but does this sound reasonable?
yes, see how ppdd does it, or, in one week how me and my friend does it.
JonB
More information about the linux-lvm
mailing list