3092 – Poor cipher choice when creating an encrypted filesystem.

Bug 3092 - Poor cipher choice when creating an encrypted filesystem.

Summary: Poor cipher choice when creating an encrypted filesystem.

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Thierry Vignaud
QA Contact:

URL:	http://www.ody.ca/~dwhodgins/Luks-How...
Whiteboard:
Keywords:	Junior_job, PATCH

Depends on:
Blocks:

Reported:	2011-10-18 05:55 CEST by Dave Hodgins
Modified:	2012-01-28 23:43 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	drakxtools-13.58-1.mga1.src.rpm
CVE:
Status comment:

Attachments
Patch to specify cipher for the luksFormat command (568 bytes, patch) 2011-10-18 05:57 CEST, Dave Hodgins	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description Dave Hodgins 2011-10-18 05:55:53 CEST

As per the changelog in the link, --cipher aes-cbc-essiv:sha256
(the default cipher) should not be used.

Instead, --cipher aes-xts-benbi is recommended.

Comment 1 Dave Hodgins 2011-10-18 05:57:23 CEST

Created attachment 975 [details]
Patch to specify cipher for the luksFormat command

Manuel Hiebel 2011-10-25 12:32:19 CEST

CC: (none) => pterjan
Assignee: bugsquad => thierry.vignaud

Comment 2 Thierry Vignaud 2011-10-25 17:52:44 CEST

Was the patch tested?

Keywords: (none) => Junior_job, PATCH

Comment 3 Dave Hodgins 2011-10-25 19:02:46 CEST

I've tested it on my system.

Comment 4 Marja Van Waes 2012-01-28 19:50:59 CET

Pinging, because nothing has happened with this report for more than 3 months, it still has the status NEW or REOPENED.

CC: (none) => marja11

Comment 5 Thierry Vignaud 2012-01-28 21:53:53 CET

Doesn't that changelog says that the default was changed in the program directly?

Comment 6 Dave Hodgins 2012-01-28 23:19:58 CET

The changelog is for the web page, showing that the cipher was changed in the
scripts, shown on that web page.

The cryptsetup program still defaults to cbc mode.

The patch in comment 1 is for diskdrake, so it will override the
default used by cryptsetup.

It would probably be better to change the default in cryptsetup,
but I don't have a patch for that.

Comment 7 Thierry Vignaud 2012-01-28 23:43:09 CET

Commited into SVN

Status: NEW => RESOLVED
Version: 1 => Cauldron
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.