Other languages English ; Español |
Contents
Summary
This page is to suggest including the data integrity option from cryptsetup version 2.0 during the OS install process
Owner
- Name: Jean Roch
- Email: <jeanroch at free dot fr>
Resources
List of people implied in this feature : dev, packagers and doc
Current status
- Targeted release: Mageia 7
- Last updated: 2018/07/14
- Percentage of completion: 00%
Detailed Description
Definition found from the website : https://gitlab.com/cryptsetup/cryptsetup
"Cryptsetup is utility used to conveniently setup disk encryption based on DMCrypt kernel module. These include plain dm-crypt volumes, LUKS volumes, loop-AES and TrueCrypt (including VeraCrypt extension) format."
Why it would be good for Mageia to include it
Since version 2.0 the project includes veritysetup, this is an data integrity kernel module. With the actual version, there is no data integrity protection, which mean that anyone who is having access to the disk can modify the raw encrypted data. This can lead to corrupted data user is trying to decrypt it, or be used by the "Replay attacks" to guess the encryption key.
Thanks to this option the user will know if anythings has been modify out of the encryption.
Version 2.0 is fully backward compatible with disk encrypted with luks 1.x But to use the data integrity, the option must be specify.
During the Mageia install, when using the encryption, an option could be to offer to add the data integrity In the shell this is 2 options :
"--type luks2" and "--integrity hmac-sha256"
Test case
Here is an exemple of usage from : https://fosdem.org/2018/schedule/event/cryptsetup/attachments/slides/2506/export/events/attachments/cryptsetup/slides/2506/fosdem18_cryptsetup_aead.pdf
$ cryptsetup luksFormat --type luks2 /dev/sdb $PARAMS
PARAMS AES-XTS+HMAC: --cipher aes-xts-plain64 --integrity hmac-sha256
PARAMS ChaCha20-poly1305: --cipher chacha20-random --integrity poly1305
$ cryptsetup open /dev/sdb test
$ cryptsetup status test
$ cryptsetup close test