|
| From: | Darren J Moffat |
| Subject: | Re: Keyfile Support for GRUBs LUKS |
| Date: | Mon, 25 Nov 2013 10:38:40 +0000 |
| User-agent: | Mozilla/5.0 (X11; SunOS i86pc; rv:17.0) Gecko/20130718 Thunderbird/17.0.6 |
On 11/20/13 07:36, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
It's not that easy. Trouble is that you need to also prevent inconsistent rollback and for this you need to have a hash tree. Then since power failure is a possibility you need this tree to be consistent at every moment. Those issues are a bit easier to handle on FS level. ZFS supports HMACs. BtrFS perhaps will one day.
Minor terminology nit: ZFS has a MAC not an HMAC. HMAC implies a hash based MAC such as HMAC-SHA256.
ZFS uses AES-CCM or AES-GCM modes which are AEAD modes that produce an Auth/MAC tag. You could do an equivalent thing with AES-CBC or AES-XTS plus HMAC-SHA256 (the original ZFS crypto prototype was AES-CBC with HMAC-SHA256 but I switched to AES-CCM/GCM).
-- Darren J Moffat
| [Prev in Thread] | Current Thread | [Next in Thread] |