You are not logged in.
I'm wanting to set up a LUKS-encrypted LVM on a new system before setup.
Is there any support for hashing with anything other than SHA1 with LUKS?
Last edited by MkFly (2010-07-05 20:21:08)
Offline
From what I can tell, support for this was added with cryptsetup 1.1.0, released a couple of weeks after my original post:
Cryptsetup 1.1.0 Release Notes
* Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option.
Please note that using different hash for LUKS header make device incompatible with old cryptsetup releases.
# sudo cryptsetup luksFormat /dev/sda1 --hash sha512
# sudo cryptsetup luksDump /dev/sda1
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha512
From cryptsetup manpage:
WARNING: setting hash other than sha1 causes LUKS device incompatible with older version of cryptsetup.
The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported. Default is set during compilation, compatible values with old version of cryptsetup are "ripemd160" for create action and "sha1" for luksFormat.
# cryptsetup --help
Default compiled-in device cipher parameters:
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
LUKS1: aes-cbc-essiv:sha256, Key: 256 bits, LUKS header hashing: sha1
Last edited by MkFly (2010-07-31 19:04:44)
Offline