I\'ve created a few encrypted devices with LUKS and cryptsetup on Linux and am p

Question

I've created a few encrypted devices with LUKS and cryptsetup on Linux and am pretty comfortable with disk encryption in this regard.

I've seen it mentioned in many different places that when setting up a LUKS partition/disk, it is advisable to first overwrite the entire partition/disk with /dev/urandom. I've seen a few places that advise that this isn't necessary, as the disk can be overwritten using the cipher, which is much faster. (/dev/urandom max on a 4.6GHz system can get over 20MB/s, whereas I'm sure that an AES-256 CBC cipher can run at over 2GB/s, which means that my encryption of the disk could run at 100 to 102.4 times faster if I'm using the cipher as opposed to /dev/urandom, disk speed being the limiting factor here).

Is using the cipher to initialize the disk as "secure" as using /dev/urandom? I would assume so, as output data should be theoretically indistinguishable between the two.

Also, how do you do this to overwrite the entire partition/disk using the cipher? I've lost the link and can't remember how to do it.

Explanation / Answer

/dev/urandom is basically just a stream cipher, only with periodic reseeding from its entropy sources to protect against its state or entropy sources becoming compromised.

Given that it's extremely unlikely the state of your cipher will become compromised while you initialize the disk, that if this happened an attacker has enough control over your system that you're likely screwed anyway, and the fact that the random numbers aren't actually being used for something like cryptographic key material, there is no concern I can think of with initializing the disk by writing to it the output of a cipher initialized with a random key and IV.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.