From Mageia wiki
Jump to: navigation, search


Drakconf multiflag.png
Other languages
English ; Español

Summary

This page is to suggest including the data integrity option from cryptsetup version 2.0 during the OS install process

Owner

  • Name: Jean Roch
  • Email: <jeanroch at free dot fr>

Resources

List of people implied in this feature : dev, packagers and doc

Current status

  • Targeted release: Mageia 7
  • Last updated: 2018/07/14
  • Percentage of completion: 00%

Detailed Description

Definition found from the website : https://gitlab.com/cryptsetup/cryptsetup

"Cryptsetup is utility used to conveniently setup disk encryption based on DMCrypt kernel module. These include plain dm-crypt volumes, LUKS volumes, loop-AES and TrueCrypt (including VeraCrypt extension) format."


Why it would be good for Mageia to include it

Since version 2.0 the project includes veritysetup, this is an data integrity kernel module. With the actual version, there is no data integrity protection, which mean that anyone who is having access to the disk can modify the raw encrypted data. This can lead to corrupted data user is trying to decrypt it, or be used by the "Replay attacks" to guess the encryption key.

Thanks to this option the user will know if anythings has been modify out of the encryption.

Version 2.0 is fully backward compatible with disk encrypted with luks 1.x But to use the data integrity, the option must be specify.

During the Mageia install, when using the encryption, an option could be to offer to add the data integrity In the shell this is 2 options :

"--type luks2" and "--integrity hmac-sha256"


Test case

Here is an exemple of usage from : https://fosdem.org/2018/schedule/event/cryptsetup/attachments/slides/2506/export/events/attachments/cryptsetup/slides/2506/fosdem18_cryptsetup_aead.pdf


$ cryptsetup luksFormat --type luks2 /dev/sdb $PARAMS

PARAMS AES-XTS+HMAC: --cipher aes-xts-plain64 --integrity hmac-sha256

PARAMS ChaCha20-poly1305: --cipher chacha20-random --integrity poly1305


$ cryptsetup open /dev/sdb test


$ cryptsetup status test


$ cryptsetup close test


Software / Packages Dependencies

What could disrupt development of this new feature

Planning

Contingency

Release Notes

Documentation