The way I understand it, when you write to a copy-on-write filesystem, data neve

Question

The way I understand it, when you write to a copy-on-write filesystem, data never gets overwritten in place, instead new data is written to a new location, and the old data will only be overwritten when the filesystem runs out of space.

If I put an encrypted container (luks for example) on top of an zfs filesystem, and then keep writing different data to the encrypted container, then I would end up with lots of different versions of the state of the encrypted container on disk.

Does this weaken the encryption? If so, how much of a threat is this in practice, does it make it easy to break the encryption?

Explanation / Answer

Assuming your encrypted container is using a secure algorithm in a secure manner, this won't let the attacker break the encryption. In the worst-case scenario (writing files provided by the attacker), this is giving them information for performing a chosen-plaintext attack. Any good encryption algorithm (eg. AES or Twofish) is strongly resistant to this sort of attack, so much so that you could spend millions of years writing to the disk without giving the attacker enough information to perform the attack.

The big risk is not to the encryption itself, but that it provides a side channel for gathering information about the data stored in the container. For example, if all of the discarded blocks belong to one part of the disk, it's a good sign that a hidden volume is in use.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.