mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-13 20:00:08 +01:00
sync with Wiki
This commit is contained in:
wagner
66
FAQ
66
FAQ
@@ -136,13 +136,17 @@ A. Contributors
|
|||||||
|
|
||||||
* 1.5 Who wrote this?
|
* 1.5 Who wrote this?
|
||||||
|
|
||||||
Current FAQ maintainer is Arno Wagner <arno@wagner.name>. Other
|
Current FAQ maintainer is Arno Wagner <arno@wagner.name>. If you
|
||||||
contributors are listed at the end. If you want to contribute, send
|
want to send me encrypted email, my current PGP key is DSA key
|
||||||
your article, including a descriptive headline, to the maintainer,
|
CB5D9718, fingerprint 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D
|
||||||
or the dm-crypt mailing list with something like "FAQ ..." in the
|
9718.
|
||||||
subject. You can also send more raw information and have me write
|
|
||||||
the section. Please note that by contributing to this FAQ, you
|
Other contributors are listed at the end. If you want to contribute,
|
||||||
accept the license described below.
|
send your article, including a descriptive headline, to the
|
||||||
|
maintainer, or the dm-crypt mailing list with something like "FAQ
|
||||||
|
..." in the subject. You can also send more raw information and
|
||||||
|
have me write the section. Please note that by contributing to this
|
||||||
|
FAQ, you accept the license described below.
|
||||||
|
|
||||||
This work is under the "Attribution-Share Alike 3.0 Unported"
|
This work is under the "Attribution-Share Alike 3.0 Unported"
|
||||||
license, which means distribution is unlimited, you may create
|
license, which means distribution is unlimited, you may create
|
||||||
@@ -309,13 +313,24 @@ A. Contributors
|
|||||||
|
|
||||||
Side-note: That has limited value against the authorities. In
|
Side-note: That has limited value against the authorities. In
|
||||||
civilized countries, they cannot force you to give up a crypto-key
|
civilized countries, they cannot force you to give up a crypto-key
|
||||||
anyways. In the US, the UK and dictatorships around the world,
|
anyways. In quite a few countries around the world, they can force
|
||||||
they can force you to give up the keys (using imprisonment or worse
|
you to give up the keys (using imprisonment or worse to pressure
|
||||||
to pressure you), and in the worst case, they only need a
|
you, sometimes without due process), and in the worst case, they
|
||||||
nebulous "suspicion" about the presence of encrypted data. My
|
only need a nebulous "suspicion" about the presence of encrypted
|
||||||
advice is to either be ready to give up the keys or to not have
|
data. Sometimes this applies to everybody, sometimes only when you
|
||||||
|
are suspected of having "illicit data" (definition subject to
|
||||||
|
change) and sometimes specifically when crossing a border. Note
|
||||||
|
that this is going on in countries like the US and the UK, to
|
||||||
|
different degrees and sometimes with courts restricting what the
|
||||||
|
authorities can actually demand.
|
||||||
|
|
||||||
|
My advice is to either be ready to give up the keys or to not have
|
||||||
encrypted data when traveling to those countries, especially when
|
encrypted data when traveling to those countries, especially when
|
||||||
crossing the borders.
|
crossing the borders. The latter also means not having any
|
||||||
|
high-entropy (random) data areas on your disk, unless you can
|
||||||
|
explain them and demonstrate that explanation. Hence doing a
|
||||||
|
zero-wipe of all free space, including unused space, may be a good
|
||||||
|
idea.
|
||||||
|
|
||||||
Disadvantages are that you do not have all the nice features that
|
Disadvantages are that you do not have all the nice features that
|
||||||
the LUKS metadata offers, like multiple passphrases that can be
|
the LUKS metadata offers, like multiple passphrases that can be
|
||||||
@@ -545,6 +560,31 @@ A. Contributors
|
|||||||
and half of it is the cipher key, the other half is the XTS key.
|
and half of it is the cipher key, the other half is the XTS key.
|
||||||
|
|
||||||
|
|
||||||
|
* 2.15 How do I Verify I have an Authentic cryptsetup Source Package?
|
||||||
|
|
||||||
|
Current maintainer is Milan Broz and he signs the release packages
|
||||||
|
with his PGP key. The key he currently uses is the "RSA key ID
|
||||||
|
D93E98FC", fingerprint 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B
|
||||||
|
D93E 98FC. While I have every confidence this really is his key and
|
||||||
|
that he is who he claims to be, don't depend on it if your life is
|
||||||
|
at stake. For that matter, if your life is at stake, don't depend
|
||||||
|
on me being who I claim to be either.
|
||||||
|
|
||||||
|
That said, as cryptsetup is under good version control, a malicious
|
||||||
|
change should be noticed sooner or later, but it may take a while.
|
||||||
|
Also, the attacker model makes compromising the sources in a
|
||||||
|
non-obvious way pretty hard. Sure, you could put the master-key
|
||||||
|
somewhere on disk, but that is rather obvious as soon as somebody
|
||||||
|
looks as there would be data in an empty LUKS container in a place
|
||||||
|
it should not be. Doing this in a more nefarious way, for example
|
||||||
|
hiding the master-key in the salts, would need a look at the
|
||||||
|
sources to be discovered, but I think that somebody would find that
|
||||||
|
sooner or later as well.
|
||||||
|
|
||||||
|
That said, this discussion is really a lot more complicated and
|
||||||
|
longer as an FAQ can sustain. If in doubt, ask on the mailing list.
|
||||||
|
|
||||||
|
|
||||||
3. Common Problems
|
3. Common Problems
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user