lukfsformat doesn't use strongest cipher by default

Bug #78508 reported by Fridtjof Busse on 2007-01-08
4
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Undecided
Martin Pitt

Bug Description

Binary package hint: cryptsetup

luksformat doesn't set --key-size and thus uses what seems to be the default in 'luksFormat': 128 Bit.
It should use the strongest cipher (256 Bit) by default IMO or at least tell the user that there's a way to use a stronger cipher.
Currently, the user doesn't get informed about which keysize gets used.

Martin Pitt (pitti) on 2007-01-10
Changed in cryptsetup:
assignee: nobody → pitti
status: Unconfirmed → In Progress
jhansonxi (jhansonxi) wrote :

I've also noticed the 128-bit default in cryptsetup 1.0.5 on Ubuntu Gutsy.

jhansonxi (jhansonxi) wrote :

Further clarification: luksFormat defaults to a 128 bits which is in accordance with the cryptsetup man page section regarding --key-size. However, LUKS crypt volumes created with the Gutsy Alternate i386 installer default to 256 bits and the man page section "NOTES ON PASSWORD PROCESSING" implies the default is 256 bits. The man page is inconsistent and the luksFomat default doesn't match the installer defaults.

Martin Pitt (pitti) wrote :

I checked the code: DEFAULT_LUKS_KEY_SIZE (128) is the default used for luksFormat, while DEFAULT_KEY_SIZE (256) is the default for 'create'.

I committed a fixed manpage to bzr head.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cryptsetup - 2:1.0.5-2ubuntu9

---------------
cryptsetup (2:1.0.5-2ubuntu9) hardy; urgency=low

  * debian/scripts/luksformat: Use 256 bit key size by default.
    (LP: #78508)
  * debian/patches/02_manpage.dpatch: Clarify default key sizes (128 for
    luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508)

 -- Martin Pitt <email address hidden> Wed, 27 Feb 2008 17:43:46 +0100

Changed in cryptsetup:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers