Sat 2nd April 2011 - Playing with Luks / dm-crypt.
You can get encrypted linux disks using dm-crypt without using the Luks
extensions (use program cryptsetup to control everything). But one reason
to use Luks is that it has an anti-forensics feature - the key management
blocks are secret split across mulitple blocks by secret-splitting and
stretching, the idea being if some of the blocks end up being bad and you
later want to change a compromised password or wipe keys, the fact that all
of the blocks are needed decreases your risk asymptotically towards 0 that
all of those blocks will be bad. Just do cryptsetup luksFormat
<physical-device-partition> and then cryptsetup luksOpen
<device> <name> name is a dev-mapper name and gets
linked in /dev/mapper/ (dev-mapper is the newer replacement for loopback
/dev/loop). You might want to use --cipher aes-xts-plain64 but
thats a matter of preference - the default aes-essiv is fine also.
For non-removable harddrives you can ask fedora or ubuntu to make an
encrypted disk and it'll manage it for you. Fedora uses
aes-xts-plain64. btw the plain64 just refers to the IV source
being the 64bit plain sector nuber, XTS mode makes sector number IVs that
safe, normally they would tend to cancel with plaintext differences (passive
leak) or be susceptible to chosen plaintext (active attack). ESSIV also
protects against such things.