[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [linux-lvm] RFC: DM encryption target?



On Thu, Sep 25, 2003 at 06:07:58PM +0200, Christophe Saout wrote:
> Am Mi, den 24.09.2003 schrieb Goetz Bock um 16:21:
> 
> > > Another way to do a password change would be to not reencrypt the device
> > > but to store the symmetrical key somewhere else and encrypt it with a
> > > password hash and to just reencrypt that key with another password.
> > That would be nice, just use the first block for the key (giving you
> > 512byte keysize, and you can generate a realy strong key[*]).
> > 
> > Just in idea.
> > 
> > [*] yes, i know it's only as strong as the user's password. 
> >     Security is only as good as it's weekest link, and in the end
> >     that's always the user.
> 
> I don't know, but couldn't the use of a one-sector block slow things
> down because of alignment issues? Perhaps using a 4k block would be more
> useful or storing the sector at the end of the device (like the linux
> raid info sector).

maybe, but does it matter? You only read the sector once, when you "open"
the device, and write to it when you change password. During use, the real
key is stored in memory, like any other encryption device.


> I think that 512 bytes / 4096 bits should really be enough to store the
> keys.
> 
> I could store the data in a simple text format, starting with a magic
> header. Something like:
> 
> #CrYpT
> version = 1
> cipher = "aes"
> mode = "cbc"
> keysize = 256
> pwdsalt = "0e3a5b4c"
> pwdhash = "md5"
> pwdenc = "3des"
> key = "8e3eb...blabla..."
> hash = "23e4f"
> node = "/dev/mapper/crypt"
> offset = ...useful?
> size = ...useful? 

this could be usefull


> I'm really no crypto expert, but does this sound reasonable?

yes, see how ppdd does it, or, in one week how me and my friend does it.

 


JonB 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]