1

When I read the manpage for cryptsetup on Linux about "Plain mode" it says:

Plain dm-crypt encrypts the device sector-by-sector with a single, non-salted hash of the passphrase.

and the -c option says:

--cipher, -c <cipher-spec>
   Set the cipher specification string.

   cryptsetup  --help shows the compiled-in defaults.  The current default in the distrib‐
   uted sources is "aes-cbc-essiv:sha256" for both plain dm-crypt and LUKS.

Question

Does aes-cbc-essiv:sha256 mean that for each sector of my harddrive a sha256 hash of the passphrase is also stored in the sector?

If that is the case: What is the purpose of storing the hashed passphrase so many times?

Sandra
  • 10,303
  • 38
  • 112
  • 165

1 Answers1

2

You quoted part of the man page - out of context.

Let's look at it in context:

Plain dm-crypt encrypts the device sector-by-sector with a single, non-salted hash of the passphrase. No checks are performed, no metadata is used. There is no formatting operation.

Nothing but the encrypted data is stored when using plain dm-crypt.

P.S. Don't use plain dm-crypt. The reasons why are at the very top of the same man page.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • I think there is more than one meaning of "plain". There is use header yes/no plain/luks. You can e.g. give these arguments to `cryptsetup` `-c aes-cbc-plain -s 256`, `-c aes-cbc-benbi -s 256`, `-c aes-cbc-null -s 256`. I suppose that "plain" has something to do with each sector? – Sandra Dec 27 '12 at 02:38
  • 1
    Your choice of cipher has nothing to do with whether you choose to use dm-crypt or LUKS. – Michael Hampton Dec 27 '12 at 02:43