From: Christoph Anton Mitterer <calestyo@scientia.org>
To: Surmont Jasper <jasper.surmont@aalto.fi>
Cc: cryptsetup@lists.linux.dev
Subject: Re: [Question] Distinction responsibilities LUKS and dm-crypt
Date: Thu, 31 Mar 2022 21:32:04 +0200 [thread overview]
Message-ID: <8583a15d8b2a72eebb72950a3cbf210bc74649d1.camel@scientia.org> (raw)
In-Reply-To: <PR3P192MB10874E4159B71C71097583B4F1E19@PR3P192MB1087.EURP192.PROD.OUTLOOK.COM>
On Thu, 2022-03-31 at 18:56 +0000, Surmont Jasper wrote:
> So, would I be correct to write that the ability to have
> authenticated encryption depends on the underlying storage format
> (where eg LUKS1 does not support it, and LUKS2 does)?
Well practically (as of now), yes,... but that's more from an
engineering PoV.
You simply need some place where the integrity data is stored - with
cryptsetup+AEAD this is done within the LUKS2 container (not supported
with LUKS1)... but if you use dm-verity alone, there is no LUKS and the
integrity data is stored in an extra (hash_)device.
> You also mentioned encryption without LUKS has more pros than cons.
Oops,... I've meant the otherway round: it's in nearly all cases better
to use LUKS.
> so what are the main advantages of using something else than LUKS?
The "else" is only plain dm-dmcrypt devices (i.e. no meta-data stored
on disk)... unless you count 3rd party formats in like bitlocker.
Some people may say that with "plain" you get some level of plausible
deniability - i.e. you could say there is no encrypted data on the
device.
Whether that works out in practise is another question - I'd kinda
doubt that the <random evil country>-torturer would believe you, if
you'd insist that you've filled some good parts of your device with
seemingly random data just for the fun of it.
It may have some tiny advantages when using it for temporary devices
(like temporarily encrypted swap devices).
Cheers,
Chris.
next prev parent reply other threads:[~2022-03-31 20:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-31 18:21 [Question] Distinction responsibilities LUKS and dm-crypt Surmont Jasper
2022-03-31 18:29 ` Christoph Anton Mitterer
[not found] ` <PR3P192MB10874E4159B71C71097583B4F1E19@PR3P192MB1087.EURP192.PROD.OUTLOOK.COM>
2022-03-31 19:32 ` Christoph Anton Mitterer [this message]
2022-04-01 8:45 ` Michael Kjörling
2022-03-31 18:52 ` Arno Wagner
2022-03-31 18:58 ` Michael Kjörling
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8583a15d8b2a72eebb72950a3cbf210bc74649d1.camel@scientia.org \
--to=calestyo@scientia.org \
--cc=cryptsetup@lists.linux.dev \
--cc=jasper.surmont@aalto.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).