How do I unsubscribe from this list????? Sent from my iPod > On Jan 2, 2014, at 9:43 AM, Martin Hicks <mort [ at ] bork [ dot ] org> wrote: > >> On Mon, Dec 23, 2013 at 4:18 PM, Alex Pilon <alp [ at ] alexpilon [ dot ] ca> wrote: >> On Mon, Dec 23, 2013 at 03:47:05PM -0500, Robert P. J. Day wrote: >> >> LUKS does block device symmetric encryption. It's in a way a wrapper >> around dm-crypt. Plain dm-crypt requires you to specify all the >> parameters manually, whereas LUKS creates a header at the beginning of >> the block device. dm-crypt requires you to understand the crypto, and >> won't do things like salting your secret. LUKS will randomly generate >> (and salt if I recall correctly) a master secret, and provide ten >> “slots” for weaker secrets (e.g., passwords, passphrases, or binary data >> of your chosing), which it'll run through PBKDF2. > > This is close, but there is no "weaker" secret. For each "slot" (of > which I think there are 8) that is activated, the "Master" key is > encrypted using the passphrase/data that is provided when the slot is > enabled/configured (when you create a new LUKS device, there is only a > single slot activated). In the default configuration, the Master Key > is an AES encryption key. > > Later, when you're prompted for the passphrase to unlock the LUKS > device, cryptsetup loops through each enabled slot using the provided > passphrase and gets some Master Key as a result. It verifies (I can't > remember how...looks for a header?) if this Master Key makes sense > i.e., it successfully decrypts some data in a way that yields correct > plaintext. > > So, with multiple slots enabled the Master Key is encrypted multiple > times using different passphrases and PBKDF2. > > mh > > -- > Martin Hicks P.Eng. | mort [ at ] bork [ dot ] org > Bork Consulting Inc. | +1 (613) 266-2296 > _______________________________________________ > Linux mailing list > Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > http://oclug.on.ca/mailman/listinfo/linux