On Mar 26, 2012, at 4:31 PM, Pádraig Brady wrote:
Well if you're just writing huge amounts of "random" data
to clear existing space, then you don't need it to be cryptographically secure.
Why are you doing this exactly? Would /dev/zero suffice?
In every supposed best practice case of dm-crypt LUKS setup, urandom is used by example.
Including by Red Hat and Fedora Projects. The Fedora link says: "You're looking
at a process that takes many hours, but it is imperative to do this in order to have good
protection against break-in attempts. Just let it run overnight."
http://www.redhat.com/summit/2011/presentations/summit/taste_of_training/...
http://fedoraproject.org/wiki/Implementing_LUKS_Disk_Encryption
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Securit...
So then the question is, if urandom is what's recommended, are faster substitutes just
as good? If they are just as good, then why aren't they the first recommendation? And
if this step is superfluous, then I'd suggest documentation be changed to eliminate
the suggestion altogether.
Chris Murphy