mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-12 11:20:10 +01:00
dfa2755aba
The cipher_null is no-encryption, it can be used for testing or temporarily when encrypting device (cryptsetup-reencrypt). Accepting only empty password prevents situation when you replace a LUKS header on an unlocking device with the faked header using null cipher (and the same UUID). Here a system could think that the device was properly unlocked (with any entered password) and will try to use this unencrypted partition instead. (IOW it prevents situation when attacker intentionaly forces an user to boot into dirrerent system just by LUKS header manipulation.) Properly configured systems should have an additional integrity protection in place here (LUKS here provides only confidentiality) but it is better to not not allow this situation in the first place. (Despite the fact that once you allow physical tampering of your system it cannot be properly secured anymore.)