Am Freitag, 21. April 2006 15:35 schrieb Henne Vogelsang:
I understand that (Open)SUSE 10.1 ist going to be the test arena for SLES 10, or am I wrong?
You do. They are from the same codebase yes but SUSE Linux is no testbed for SUSE Linux Enterprise 10!
OK, I put it another way: the experience you get from SUSE 10.1 surely influences SLES development.
dm-crypt is far away from being the standard for encrypted filesystems.
If you define "standard" to be the most deployed solution, then yes it is. cryptoloop surely is completely out.
It has the same problem with weak IV generation as cryptoloop. And ESSIV is not very well analyzed yet (the things someone like David Wagner says about it do not help either). It does not bring any significant advantages over cryptoloop that justify the main problem we have with making a switch. You have to provide an upgrade path. And with enterprise products you have to provide an upgrade path for several years (read 7). This means that the more often you switch the implementation the more scenarios you have to cover in your upgrade path and the likelier you will fail to provide one. [1]
I do not understand that: surely you need an upgrade path when you break compatibility. But if you don't then the upgrade path is as trivial as it is when switching to cryptoloop. The advantage you get however if you switch to dm-crypt is: actively maintained code plus additional features and enhanced security.
On a sidenote: Everything you need to use dm-crypt is included since several versions. Its just not default in YaST.
Yes, I know. So: why not use it?
Please als note: All the current cryptofs implementations are far from being complete (and good in a cryptographic sense). For instance they dont provide fundamental cryptographic needs like providing integrity (prevent corruption, reverting, swapping attacks) or prevention against watermarking.
The ESSIV generation scheme is _the_ protection against simple watermarking attacks. This is one of the reasons it has been developed.
So in short, simply because its new and everybody else uses it its not better in any way.
First: dm-crypt is not new, but intree since 2.6.4. Second: switching to something obsolete and unmaintained surely is wrong. Best regards Oliver -- You first have to decide whether to use the short or the long form. The short form is what the Internal Revenue Service calls "simplified", which means it is designed for people who need the help of a Sears tax-preparation expert to distinguish between their first and last names. Here's the complete text: "(1) How much did you make? (AMOUNT) "(2) How much did we here at the government take out? (AMOUNT) "(3) Hey! Sounds like we took too much! So we're going to send an official government check for (ONE-FIFTEENTH OF THE AMOUNT WE TOOK) directly to the (YOUR LAST NAME) household at (YOUR ADDRESS), for you to spend in any way you please! Which just goes to show you, (YOUR FIRST NAME), that it pays to file the short form!" The IRS wants you to use this form because it gets to keep most of your money. So unless you have pond silt for brains, you want the long form. -- Dave Barry, "Sweating Out Taxes" -- __ ________________________________________creating IT solutions Dr. Oliver Tennert Senior Solutions Engineer CAx Professional Services science + computing ag phone +49(0)7071 9457-598 Hagellocher Weg 71-75 fax +49(0)7071 9457-411 D-72070 Tuebingen, Germany O.Tennert@science-computing.de www.science-computing.de