Mailinglist Archive: opensuse (3337 mails)

< Previous Next >
Re: [opensuse] cryptoloop
  • From: Oliver Tennert <O.Tennert@xxxxxxxxxxxxxxxxxxxx>
  • Date: Fri, 21 Apr 2006 19:03:49 +0200 (CEST)
  • Message-id: <Pine.LNX.4.58.0604211846160.3774@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
On Fri, 21 Apr 2006, Henne Vogelsang wrote:

> Hi,
> On Friday, April 21, 2006 at 18:17:55, Oliver Tennert wrote:
> > It is clear. So, in your opinion switching to cryptoloop in SLES _now_
> > (yes, I have learnt now that SUSE 9.2 already had it too) is
> > preparing you (and your enterprise clients) for the future?
> Ive already told you a couple of times (so did others) that we are not
> switching now. We already switched a long time ago.

I conceded this in the parentheses, didn't I? Switching to cryptoloop in
SUSE 9.2 was the right thing then. It is nonsense to do so now in SLES

> Im sorry but i really dont see what your point is (except that you want
> us to switch to dm-crypt __now__).

OK, for the n-th and last time, this is my point: There are reasons to
consider dropping cryptoloop and switching to dm-crypt.



- cryptoloop is dead, unmaintained and threatened to be thrown out of the
vanilla kernel since years. Please read The only
objection to not do that is given by people who have problems updating
their tolls, as I already mentioned.
- cryptoloop can only do plain IV which is totally insecure
- cryptoloop is bad code, it cannot encrypt swap partitions, it needs a
separate API for itself
- the cryptoloop kernel help text says it is unsafe to use it with
journaled file systems, as I also quoted before

On the other hand:

- dm-crypt can be used in a cryptoloop-compatible way, which is good for
those users who already have cryptoloop-encrypted volumes
- for all the others who do not need compatibility (i.e. for all new
volumes), dm-crypt offers ESSIV which is very much more secure
than plain IV
- dm-crypt uses the device mapper and does not need a separate user
space API like "losetup -e"
- dm-crypt is swap safe and therefore offers swap encryption
- dm-crypt is the basis for LUKS which offers a superior ondisk layout
even with multi-user capability (which is optional of course and need not
be used now)
- every other one is using dm-crypt, too, why not SUSE?

These are my arguments. Yet you speak of future-orientation and therefore
in favor of cryptoloop, while waiting for an ultimate future solution that
does not exist yet.

Best regards

________________________________________creating IT solutions

Dr. Oliver Tennert
Senior Solutions Engineer
CAx Professional Services
science + computing ag
phone +49(0)7071 9457-598 Hagellocher Weg 71-75
fax +49(0)7071 9457-411 D-72070 Tuebingen, Germany

< Previous Next >