home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] encrypted filesystems -- LUKS versus eCryptfs?

Perhaps you should read the footer of every email.

mps

> On Jan 2, 2014, at 9:58 AM, Phil Labonté <plabonte [ at ] gmail [ dot ] com> wrote:
> 
> How do I unsubscribe from this list?????
> 
> Sent from my iPod
> 
>>> On Jan 2, 2014, at 9:43 AM, Martin Hicks <mort [ at ] bork [ dot ] org> wrote:
>>> 
>>> On Mon, Dec 23, 2013 at 4:18 PM, Alex Pilon <alp [ at ] alexpilon [ dot ] ca> wrote:
>>> On Mon, Dec 23, 2013 at 03:47:05PM -0500, Robert P. J. Day wrote:
>>> 
>>> LUKS does block device symmetric encryption. It's in a way a wrapper
>>> around dm-crypt. Plain dm-crypt requires you to specify all the
>>> parameters manually, whereas LUKS creates a header at the beginning of
>>> the block device. dm-crypt requires you to understand the crypto, and
>>> won't do things like salting your secret. LUKS will randomly generate
>>> (and salt if I recall correctly) a master secret, and provide ten
>>> “slots” for weaker secrets (e.g., passwords, passphrases, or binary data
>>> of your chosing), which it'll run through PBKDF2.
>> 
>> This is close, but there is no "weaker" secret.  For each "slot" (of
>> which I think there are 8) that is activated, the "Master" key is
>> encrypted using the passphrase/data that is provided when the slot is
>> enabled/configured (when you create a new LUKS device, there is only a
>> single slot activated).  In the default configuration, the Master Key
>> is an AES encryption key.
>> 
>> Later, when you're prompted for the passphrase to unlock the LUKS
>> device, cryptsetup loops through each enabled slot using the provided
>> passphrase and gets some Master Key as a result.  It verifies (I can't
>> remember how...looks for a header?) if this Master Key makes sense
>> i.e., it successfully decrypts some data in a way that yields correct
>> plaintext.
>> 
>> So, with multiple slots enabled the Master Key is encrypted multiple
>> times using different passphrases and PBKDF2.
>> 
>> mh
>> 
>> -- 
>> Martin Hicks P.Eng.      |         mort [ at ] bork [ dot ] org
>> Bork Consulting Inc.     |   +1 (613) 266-2296
>> _______________________________________________
>> Linux mailing list
>> Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
>> http://oclug.on.ca/mailman/listinfo/linux
> _______________________________________________
> Linux mailing list
> Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
> http://oclug.on.ca/mailman/listinfo/linux