On Wednesday 30 Apr 2014 03:50:12 Rick "Zero_Chaos" Farina wrote: > On 04/29/2014 03:58 PM, Walter Dnes wrote: > > On Tue, Apr 29, 2014 at 01:32:46PM -0400, Rick "Zero_Chaos" Farina wrote > > > >> On 04/29/2014 12:27 PM, Walter Dnes wrote: > >>> Another couple of things I didn't realize. According to > >>> > >>> https://wiki.gentoo.org/wiki/Dm-crypt I have to build in support for > >>> the crypt target in the kernel. It also suggests > >>> <*> SHA224 and SHA256 digest algorithm > >>> > >>> Any comments on their strength? I'm not worried about the NSA or > >>> CSIS as much as opportunistic criminals.
If it's only opportunistic criminals you're worried about then SHA1 with its 160-bit string is ample and so is MD5 with its 128-bit. Both are considered weak hashes these days and should be avoided for business critical set ups, but they are soooooo widely used (esp. by internet browsers, VPN routers, etc.) that it would be difficult to upgrade everything overnight to SHA2. > >> I use whirlpool. Why you ask? It sounds cool! Also it supported 512bit > >> which seems nice. Whirlpool is of course better, because it has an even longer 521-bit string. > > Sorry to pester you, but I'm beginning to realize just how much is > > involved here that I'm a newbie at. Two more questions... > > > > > > 1) If multiple encryption algorithms are enabled in the kernel, how does > > the system decide which one to use? > > dmcrypt/luks stores the proper encryption algorithm, as long as the > correct one is supported you are all set. It will use the default. Run: cryptsetup -h to see the default that it was compiled with. Or, it will use the --hash and --cipher options that you specify when you run cryptsetup. Have a look at the fine manual. > > 2) I assume that if I want to use the same encrypted USB key on 2 or > > more machines, then the kernels of all the machines must be built with > > the same encryption algorithms? > > No, but they do both need the encryption and hashing algorithm you are > using. As I understand it, but may be wrong because I have not used LUKS you need to have the same ciphers and hashes on both machines. Thankfully, all PCs these days have aes and sha1. :-) -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
