[pkg-cryptsetup-devel] Bug#612452: Bug#612452: cryptsetup: filesystem check with blkid script is not reliable
Jonas Meurer
jonas at freesources.org
Thu Feb 17 20:26:32 UTC 2011
Hello Milan, hey Christoph,
Thanks Milan for the explanation why the ext3 filesystem is detected
even with a different initalization vector.
To be honest, I cannot do anything about the bugreport, but again and
again suggest to set the used cipher, hash and keysize for plain
dm-crypt devices in /etc/crypttab.
In fact the debian NEWS file already suggests this with the upgrade to
cryptsetup 1.1.0 or later:
The default key size for LUKS was changed from 128 to 256 bits, and default
plain mode changed from aes-cbc-plain to aes-cbc-essiv:sha256.
In case that you use plain mode encryption and don't have set cipher and hash
in /etc/crypttab, you should do so now. The new defaults are not backwards
compatible. See the manpage for crypttab(5) for further information. If your
dm-crypt setup was done by debian-installer, you can ignore that warning.
I now added the following to /etc/crypttab in order to make this
suggestion more visible:
The upstream defaults for encryption cipher, hash and keysize have changed
several times in the past, and they're expected to change again in future,
for example if security issues arise.
On LUKS devices, the used settings are stored in the LUKS header, and thus
don't need to be configured in /etc/crypttab. For plain dm-crypt devices, no
information about used cipher, hash and keysize are available at all.
Therefore we strongly suggest to configure the cipher, hash and keysize in
/etc/crypttab for plain dm-crypt devices, even if they match the current
default.
This bugreport will be closed with the next upload.
greetings,
jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20110217/f6befad2/attachment.pgp>
More information about the pkg-cryptsetup-devel
mailing list