[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Various questions on encrypted partitions

n Thu, Apr 24, 2008 at 08:00:39AM -0500, Jordi Guti0xe9rrez Hermoso wrote:
> So when I installed Debian, I told d-i to wipe the hard disk and
> encrypt my lappy's hard drive. My tinfoil-hatted heart loves it.
> They'll never take me or my data alive.
>
> I am curious, though, as to the exact nature of the encryption. I'd
> rtfm, but I don't know where to begin. I understand the encryption is
> AES-256, supposedly good enough to keep spooks at bay, but how exactly
> does it work? I chose a ridiculous 25-character random printable ASCII
> password that I have committed to my cerebellum and muscle memory,
> because I thought that AES-256 actually uses my password to encrypt
> the hard drive. Is this true?
>
> I also see that it uses something called LUKS, and I understand that
> LUKS is the way to change my encryption password. How does that work,
> exactly, at the mathematical level? If I change the encryption
> password, does the hard drive get reencrypted a different way, or
> what?
>
> My last question is about potential data loss. Is an encrypted hard
> drive more vulnerable to data loss than an unencrypted one? Suppose I
> have a hardware failure or something. Will the encryption make it
> harder to recover my data than if I weren't using encryption? That is,
> if a few bytes are off, can AES-256 still decrypt gracefully?
>
> Thanks,
> - Jordi G. H.

try looking at the manual entries for cryptsetup and luksformat...

The encryption algorithm used will depend on the options you chose when
you setup your filesystems. I think it defaults to AES-256.

And no, it doesn't use your password to encrypt all the data. It generates
a random key for that. Your password is used to encrypt the random key,
and the resuld stored in the LUKS header. So when you change your password,
all that happens is the random key gets re-encrypted with the new password
and replaced. It even allows you to assign multiple passwords, by storing
multiple copies of the random key, encrypted by each of the passwords.

I think the man pages above, and the other resouces they site, should
answer your other questions.

Regards,
DigbyT
Reply to: