[pkg-cryptsetup-devel] Bug#714331: Bug#714331: Bug#714331: Bug#714331: cryptsetup: switch to "more secure" defaults?

Jonas Meurer jonas at freesources.org
Sat Jun 29 00:35:16 UTC 2013


Hello,

Am 29.06.2013 00:22, schrieb Christoph Anton Mitterer:
> On Fri, 2013-06-28 at 23:24 +0200, Jonas Meurer wrote:
>> Ok, indeed the examples could be changed to use xts. Feel free to
>> provide a patch. I'll happily accept it.
> Attached... see the header for the exact changes and intentions and
> complain if it's not okay.

Thanks for the patch. I added all your proposed changes to documentation
with the exception that I used 'size=256' and 'hash=sha1' for examples.
These are upstream defaults at the moment. I even remember some
discussion whether aes256 might be less secure than aes128. I'm not a
crypto expert at all, so I prefer to go with upstreams defaults. Is this
ok for you?

> I could write two more patches:
> 1) That changes all keyscript=/lib/cryptsetup/../name to just
> keyscript=name ... I think that's supported for keyscripts shipped with
> cryptsetup.

Done in SVN, thanks for the suggestion.

> 2) I'd recommend to replace all /dev/sd[letter][number] or
> hd[letter][number] by "/dev/sdaN".
> Why?
> - AFAIK, hd is no longer used in the current kernels (I guess the old
> non libata based IDE drivers were even dropped)...

Good point. I replaced all occurences of 'hdXY' by 'sdXY'. Thanks for
the pointer.

> - literally using "N" instead of an example number... reduces the risk
> that someone accidentally copies&pastes these examples and cause real
> harm.

Most examples use high letter+number combinations like sdg8 for that
exact reason. To be honest I prefer real examples. If you've the feeling
that any of the examples is particularely prone to copy&paste accidents,
and a warning might help, please send me a patch.

Kind regards,
 jonas



More information about the pkg-cryptsetup-devel mailing list