Skip to content

swap: change randomEncryption to plainOpen #25900

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

swap: change randomEncryption to plainOpen #25900

wants to merge 1 commit into from
+1 −3

Conversation

ghost
Copy link

@ghost ghost commented May 18, 2017

Motivation for this change

Instead of creating a luks container with "secretkey" as password, decrypting it and removing the luks header, it's much easier and faster to use plainOpen with /dev/urandom. And you also get some bytes more swap because you have no luks header.

That's the way it's often done and proposed in other linux distributions.

Things done
  • Tested using sandboxing
    (nix.useSandbox on NixOS,
    or option build-use-sandbox in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@GeNTooFReaK
swap: change randomEncryption to plainOpen
e0dd3f6 
Instead of creating a luks container with "secretkey" as password, decrypting it and removing the luks header, it's much easier and faster to use plainOpen with /dev/urandom. And you also get some bytes more swap because you have no luks header.
@mention-bot
Copy link

@GeNTooFReaK, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @abbradar and @bjornfor to be potential reviewers.

@abbradar
Copy link
Member

Thanks! TBH I did it the way it is now only because I didn't know better.

I'll test and merge it later if noone beats me to it.

@ghost
Copy link
Author

ghost commented May 19, 2017
edited by ghost
Loading

Just to sum it up:

  • luksFormat needs at least 2 seconds to hash the password (see cryptsetup --help for --iter-time, default is 2 seconds), plainOpen does not
  • plainOpen uses absolutely no header, therefore the whole space of the partition is used for swap
  • using /dev/urandom as password is much better than a static pasword, even in the luks method the luks header was removed and therefore the master key lost forever
  • luks defaults to aes-xts-plain64, plain defaults to aes-cbc-essiv:sha256
    But I'm thinking about to add a new config option to let the users modify this, because I personally like Serpent and Twofish more than AES. Also on some low-end devices Serpent and Twofish can be faster than AES, which is nice-to-have for swap. Just try cryptsetup benchmark

@joachifm joachifm added 0.kind: enhancement Add something new 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS labels May 21, 2017
@ghost ghost mentioned this pull request May 22, 2017
Closed
7 tasks
@ghost
Copy link
Author

ghost commented May 23, 2017

Let's forget about this one and focus on the better one: #25999

@ghost ghost closed this May 23, 2017
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
0.kind: enhancement Add something new 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mention-bot @abbradar @joachifm @GeNTooFReaK