Mailinglist Archive: opensuse (3337 mails)

< Previous Next >
Re: [opensuse] cryptoloop
  • From: Oliver Tennert <O.Tennert@xxxxxxxxxxxxxxxxxxxx>
  • Date: Fri, 21 Apr 2006 15:00:28 +0200
  • Message-id: <200604211500.28808.tennert@xxxxxxxxxxxxxxxxxxxx>
Am Freitag, 21. April 2006 14:43 schrieb Lars Hecking:
> > Now, obviously SUSE ist going to switch from an absolutely not widespread
> > solution to an obsolete solution, and furthermore announces this as a
> > novelty for the next-generation enterprise distro. What is this? Every
> > other Distro (Fedora, RedHat, Debian, Ubuntu et al.) is using dm-crypt
> > and even going to
>
> gentoo :)
>
> > integrate LUKS, only SUSE does not!
> >
> > I really do NOT understand that in any way. Does anybody else?
>
> I certainly don't - cryptoloop is not only obsolete, but has serious
> problems. Which is why I hacked dm-crypt support into 9.2, and I'm pretty
> sure it transfers to 10.0/10.1. Email me if you're interested in scripts
> and instructions, I meant to publish it all on ILUG but didn't find the
> time yet.
>

I am very interested though I must say that I am even more interested in not
only integrating dm-crypt (which is more or less trivial) but also LUKS as
THE default encrypted volume format as well.

Moreover, the most non-trivial part is integrationg LUKS in a way to encrypt
the root fs, too, which needs patching the initrd.

Now, what I do not understand is: how come such a transition decision is made?
It has nothing to do with (software) evolution, nor is it intelligent design.
Therefore, it must be a MANAGEMENT DECISION.

Why cryptoloop is bogus can be read here:

http://lwn.net/Articles/67216/

And behold! The article is more than 2 years old!

The security weaknesses of using CBC mode with a plain IV generation scheme is
best explained on Clemens Fr├╝hwirth's homepage (the LUKS maintainer), so
there's no need to repeat them here. Not to speak of the fact that afaik
cryptoloop is not maintained any more (afaik the former maintainer has
ironically been Clemens Fr├╝hwirth).

So all in all, switching to cryptoloop NOW is complete nonsense.

Best regards

Oliver

>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: opensuse-unsubscribe@xxxxxxxxxxxx
> For additional commands, e-mail: opensuse-help@xxxxxxxxxxxx

--
If you make people think they're thinking, they'll love you; but if you
really make them think they'll hate you.
--
__
________________________________________creating IT solutions

Dr. Oliver Tennert
Senior Solutions Engineer
CAx Professional Services
science + computing ag
phone +49(0)7071 9457-598 Hagellocher Weg 71-75
fax +49(0)7071 9457-411 D-72070 Tuebingen, Germany
O.Tennert@xxxxxxxxxxxxxxxxxxxx www.science-computing.de



< Previous Next >