luks dm-crypt + dd if=/dev/urandom. post-install
 

The way I understand this so far, most people seem to recommend the volume to be encrypted should be filled with urandom (dd if=/dev/urandom of=/dev/sdX) prior to the luksFormat in order to reduce the chances of an attacker being able to determine what portion of the drive is actually encrypted data. Is this also the method used by the Debian installer to initialize/erase the luks drive?

I'm a bit amateur when it comes to drive encryption- Would the benefit of dd'ing urandom to a new hd prior to creating a luks/dm-crypt volume diminish as the actual amount of data written to the filesystem increased?
ie Would there be no practical point/benefit in spending the time to urandomize the drive if it were actually a new hd and also filled to capacity with encrypted data?

By my estimate it would take 40 hours to fully dd urandom to this partition which is the only partition on the drive and is using the full 750gb drive capacity. The actual data on the partition will using near the full capacity. I'd like to know if this 40 hours of continuous dd would be a waste of time/resources in the end.

One other way I've seen mentioned is to run 'badblocks -t random ...'. What I was thinking of doing was simply to combine badblocks + mke2fs via 'mke2fs -c ...' after I had already created/mapped the crypt volume.

any suggestions or input are very welcome.

thanks

mke2fs -c -c ... badblocks -t random ?
 

I want to know if there is any way to invoke badblocks with the -t random option if called from mke2fs.

Here's my mke2fs line:
The extra '-c' calls badblocks in read/write mode. Id like this to use random data as this will be an encrypted volume.

man page for badblocks strongly discourages running badblocks outside of invocation through mke2fs. Is it possible to pass any additional options to badblocks through mke2fs such as a direct command like:


thanks

I don't know but if it uses scripts you can find out by grepping those for it.


Sure. AFAIK disks leave the factory with a single written pattern, so if you don't break that pattern by overwriting with randomised data or fill the drive to the max with encrypted content right away then if seized it is easier to spot areas where data resides. That doesn't say anything about actually being able to *break* the encryption though depending on situation and location ze judicial system may hav ozzer vays to meek you talk anyvay.


Could be done faster, see this, start at the "entropy.txt" line. Provided you have your current kernels source installed compiling, installing and using frandom takes about a minute.

Thanks for the tip, I'm looking into this.

One other question. If i create the luks volume and open the mapper device, then invoke badblocks from mke2fs for the entire partition, would this then have the same effect as randomizing the entire drive simply because i am doing a read/write test of an luks volume?

You've asked that in a separate thread, not waiting to find out how this thread would wind up, so asking here counts as a duplicate post. Please don't.

actually no.
 

Lets look at what I posted in the other thread:

this is NOT the same question or duplicate posting but thanks for taking the time to reply.

With all due respect but yeah, it *is* the same because it's about invoking 'badblocks' for result of getting randomised data. Anyway:
Of course this is a fast and shallow approximation of how you should test randomness for real, but it only was meant to show using 'badblocks -t random' is *not* a good choice.

Moved: This thread is more suitable in Debian and has been moved accordingly to help your thread/question get the exposure it deserves.

W/ all due respect, XavierP, why?

I have both badblocks & mke2fs on my MEPIS system, so I doubt this is a Debian-unique problem.

On my request. Consolidating these threads keeps related or overlapping information together, which I think is important because the usage of 'badblocks -t random' should be avoided when preparing for disk encryption.

thanks
 

Thanks for all the help/pointers. Sorry for any waste of resources by having related questioning in another forum. As usual you are all extremely informative.

:)

NP, NP. Hope you get your LUKS thing going now.