On Monday 25 Jun 2012 09:16:23 Claudius Hubig wrote: > Nick Boyce <n...@glimmer.adsl24.co.uk> wrote: > > > The installer uses 'dm-crypt' to encrypt the drive, rather than the full > > LUKS system - and 'dm-crypt' generates the encryption key directly from > > the pass- phrase, rather than storing the encryption key in an on-volume > > "header" protected by the pass-phrase. > > Are you sure about that? I’ve set up quite a few systems and it > always used LUKS.
No, I'm not sure - but I picked up that understanding from reading a lot of forum threads about setting up new systems with encrypted disks. I gained the distinct impression that current distribution installers use 'dm- crypt' for simplicity, and that this is the same as 'cryptsetup' in "plain" mode as opposed to 'LUKS' mode.. Now that I've been reading more in-depth history of Linux filesystem crypto tools, I think the problem is that quite a lot of the documentation out there is old, obsolete and misleading :) Many pages report the home of dm-crypt as being : http://www.saout.de/misc/dm-crypt/ but I now think that site is woefully out of date, and consequently somewhat misleading. Among other things, it says this : "Clemens Fruhwirth is maintaining an enhanced version of cryptsetup with the LUKS extension that allows you to have an on-disk block of metadata which is superior to the current mechanism and was my long term plan anyway but I didn't find the time to implement that yet" and this : "Because the way using dmsetup directly is too complicated for most people I'm currently writing a native cryptsetup program to behave like one of the patched losetup's out there" The Debian Installation Manual [3] says : "debian-installer supports several encryption methods. The default method is dm-crypt" I think it all needs updating and clarifying ... Anyway, I was concerned not to attempt to do a 'cryptsetup luksDelKey/luksAddKey' if there isn't actually an on-disk LUKS header to be manipulated (for fear of corrupting the start of a "plain-mode" encrypted volume). > You can check with > # cryptsetup luksDump <device> Hmm .. well thanks for that command (I'm a novice) ... which confirms what you say - my single encrypted raw disk partition (containing the LVM mapped system volumes) does indeed have a LUKS header, with 8 keyslots; slot 0 is marked "ENABLED", while the other 7 are "DISABLED". I think I'll proceed by doing a 'luksHeaderBackup', and then trying a pass- phrase change. The subject will be 350Gb of data which has taken two months to set up, so I'll be holding my breath :-/ Thanks a lot for the clues ! [3] http://www.debian.org/releases/stable/amd64/ch06s03.html.en#partman-crypto Cheers Nick -- Never FDISK after midnight -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201206252154.23102.n...@glimmer.adsl24.co.uk
