[pkg-cryptsetup-devel] Bug#714331: Bug#714331: cryptsetup: switch to "more secure" defaults?
Christoph Anton Mitterer
calestyo at scientia.net
Fri Jun 28 21:03:36 UTC 2013
Hi Jonas.
On Fri, 2013-06-28 at 21:57 +0200, Jonas Meurer wrote:
> I don't get it. Do you even check the things you claim before sending
> bugreports?
Sure ;-)
> Defaults for plain dm-crypt devices didn't change within the
> last releases.
Yeah I saw that... but the reason for that, as Milan laid out is
backwards compatibility, right?
So that means we need to keep the "old" settings in cryptsetup (binary)
and in the scripts where you auto-set-up devices...
But IMHO we could change any recipes (because for new setups,... nothing
should prevent people to use the "better" modes with plain).
$ aptitude download cryptsetup
Get: 1 http://ftp.de.debian.org/debian/ unstable/main cryptsetup amd64
2:1.6.1-1 [150 kB]
Fetched 150 kB in 0s (361 kB/s)
$ dpkg-deb -x cryptsetup_2%3a1.6.1-1_amd64.deb .
Then:
$ zgrep -r essiv * | grep essiv
usr/share/doc/cryptsetup/README.Debian.gz:cswap1 /dev/hda9 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256
usr/share/doc/cryptsetup/README.initramfs.gz: cryptroot /dev/hda2 none cipher=aes-cbc-essiv:sha256,size=256,hash=sha256
usr/share/doc/cryptsetup/README.initramfs.gz:cryptswap /dev/hda2 cryptroot cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,keyscript=/lib/cryptsetup/scripts/decrypt_derived,swap
usr/share/doc/cryptsetup/README.initramfs.gz:cryptroot /dev/hda2 /dev/disk/by-label/myusbkey:/keys/root.key cipher=aes-cbc-essiv:sha256,size=256,hash=plain,keyscript=/lib/cryptsetup/scripts/passdev
usr/share/man/man5/crypttab.5.gz:cswap /dev/sda6 /dev/urandom cipher=aes\-cbc\-essiv:sha256,hash=ripemd160,size=256,swap
usr/share/man/man5/crypttab.5.gz:cdisk1 /dev/sda2 none cipher=aes\-cbc\-essiv:sha256,hash=ripemd160,size=256,checkargs=ext4,tries=5
usr/share/man/man5/crypttab.5.gz:cdisk2 /dev/hdc1 none cipher=aes\-cbc\-essiv:sha256,hash=ripemd160,size=256,check=customscript,tries=1
(I've removed all matches from changelogs, release notes and NEWS.
Further I removed the match from cryptroot,.. because this needs to stay
the same for backward compatibility reasons too.)
But all the above matches are, AFAICS, examples on how users could set
up their swap, etc. pp. right?
If you agree that we can/should change these... I can make a patch.
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5113 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20130628/c2d2e848/attachment-0001.bin>
More information about the pkg-cryptsetup-devel
mailing list