[pkg-cryptsetup-devel] Bug#612452: Bug#612452: cryptsetup: filesystem check with blkid script is not reliable

[Jonas Meurer]

Hello Milan, hey Christoph,

Thanks Milan for the explanation why the ext3 filesystem is detected
even with a different initalization vector.

To be honest, I cannot do anything about the bugreport, but again and
again suggest to set the used cipher, hash and keysize for plain
dm-crypt devices in /etc/crypttab.

In fact the debian NEWS file already suggests this with the upgrade to
cryptsetup 1.1.0 or later:

  The default key size for LUKS was changed from 128 to 256 bits, and default
  plain mode changed from aes-cbc-plain to aes-cbc-essiv:sha256.
  In case that you use plain mode encryption and don't have set cipher and hash
  in /etc/crypttab, you should do so now. The new defaults are not backwards
  compatible. See the manpage for crypttab(5) for further information. If your
  dm-crypt setup was done by debian-installer, you can ignore that warning.

I now added the following to /etc/crypttab in order to make this
suggestion more visible:

  The upstream defaults for encryption cipher, hash and keysize have changed
  several times in the past, and they're expected to change again in future,
  for example if security issues arise.

  On LUKS devices, the used settings are stored in the LUKS header, and thus
  don't need to be configured in /etc/crypttab. For plain dm-crypt devices, no
  information about used cipher, hash and keysize are available at all.

  Therefore we strongly suggest to configure the cipher, hash and keysize in
  /etc/crypttab for plain dm-crypt devices, even if they match the current
  default.

This bugreport will be closed with the next upload.

greetings,
 jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20110217/f6befad2/attachment.pgp>