Bug#371135: [Pkg-cryptsetup-devel] Bug#371135: encrypted swap with variable key fails

Jonas Meurer jonas at freesources.org
Tue Jun 20 20:10:24 UTC 2006


On 20/06/2006 Andrew Pimlott wrote:
> > there may exist situations
> > where you don't want your device to be marked as 'contains encrypted
> > data'.
> 
> Right, however most users would be happy to put such a mark if it
> increased safety.  So it would be a nice option.

yes, that's exactly what Michael proposed. write some identifying flag
into the first or last sector of a device to mark it as plain dm-crypt
swap.

patches are welcome ;-)

> > > 2.  If I use LUKS for all encrypted filesystems, I believe it is
> > >     possible to perform the negative identification above.  That is, if
> > >     I don't see the LUKS header, and the partition does not have an
> > >     unencrypted volume, then it is safe to destroy.  So let me promise
> > >     that I have no non-LUKS encrypted filesystems.
> > 
> > i'm not sure that i understand. you mean that all encrypted non-swap
> > devices should be LUKS devices? we should never expect that.
> 
> I mean _if I explicitly promise so_, we should expect that.  So give me
> some configuration directive like LuksOnly that I can set.

looks like overkill for me. users who use only luks don't need to
specify that. 'cryptsetup isLuks' is run against every source device
anyway, before invoking 'cryptsetup luksOpen'. so there should be no
need for a LuksOnly option.

...
 jonas




More information about the Pkg-cryptsetup-devel mailing list