On Tue, Jun 23, 2026 at 03:04:38PM -0700, David Christensen wrote: > On 6/23/26 11:10, [email protected] wrote: > > On Tue, Jun 23, 2026 at 10:33:01AM -0700, David Christensen wrote: > > > > [...] > > > > > Both configurations work, but have different performance and security > > > considerations: > > > > > > * partitions > RAID > encryption > filesystem > > > > > > Will encrypt the RAID virtual block device, saving CPU cycles and > > > requiring one passphrase and/or key. > > > > > > * partitions > encryption > RAID > filesystem > > > > > > Will encrypt each partition, arguably improving security but > > > requiring > > > more CPU cycles and passphrases/ keys. > > > > Actually it would reduce security, IMO, because the opponent would have > > to find just one of both keys (the content is mirrored), thus potentially > > reducing the key strength by one bit. Not a big deal, granted :) > > > > Cheers > > > I agree that successfully cracking two or more disks from an encrypted RAID > will give an attacker greater confidence in the resulting data and metadata.
No, no: I meant the attacker has to crack *just one of two*, thus potentially halving the search time (assuming enough parallelism, which seems a semsible to assume in these crazy days we live in). > But I would expect a cracking algorithm for an encryption layer with on-disk > cryptographic details (e.g. LUKS header) would primarily attack those > on-disk cryptographic details: > > * Assuming a brute-force cracking algorithm, each crack attempt (e.g. > passphrase and/or key generated by an iterator) is an independent trial and > the work is readily partitioned across multiple computers working in > parallel. So, cracking 1 LUKS header with N computers will take the same > average time as cracking any one of 2 to N different LUKS headers with N > computers. Now that makes sense to me: space × time is constant, you double the one and halve the other. You're right. > * What an attacker wants is a cracking algorithm where each new cracking > attempt leverages the results from previous failed attempts. AIUI LUKS, > dm-crypt, and other professional cryptographic systems are specifically > designed to thwart such. But if you design such an algorithm, you could > become famous, make money, become an enemy of the state, go to prison, flee > into exile, etc.. I'd expect that, yes. Current attacks seem to concentrate on the PBKDF, that's why argon2, specifically argon2id [1] [2] is currently recommended (it makes highly parallel attacks by SIMD GPUs difficult) > I was thinking of what happens if a disk fails, the sysadmin disposes of the > disk, an attacker obtains the disk, and the attacker successfully cracks the > encryption. The attacker now has all or part of the plaintext data, the > plaintext metadata, and the plaintext cryptographic details at the time the > disk failed: Never do that. If the electronics still work to dd to the first sectors of the disk, by all means, do. > * If encryption was applied on top of RAID and the attacker obtains a second > encrypted disk, the attacker can use the plaintext cryptographic details > from the first disk to crack the second disk. This could be as simple as > entering the passphrase and/or key from the first disk. > > * If encryption was applied under RAID and the sysadmin used different > strong passphrases and/or keys on every disk, the plaintext cryptographic > details from any one cracked disk will not help to crack additional > encrypted disks. Which you don't need to, since we are talking RAID1, and they should have (roughly ;) equal content. Other RAID schemata are different, granted. Cheers -- t
signature.asc
Description: PGP signature

