[Haifux] Nested disk encryption

Orr Dunkelman orr.dunkelman at gmail.com
Thu Sep 16 05:57:34 MSD 2010

If you use modern ciphers (AES-256, or Serpent are two such ciphers),
there should be no problem.

The RAID's encryption does not care what you encrypt. The loopback
device does not care where it is stored. So you get double protection.


On Thu, Sep 16, 2010 at 2:09 AM, Eli Billauer <eli at billauer.co.il> wrote:
> Hello,
> I have a piece of sensitive data, which I'd like to keep locked away when I
> don't use it. It's reassuring to know, that even if my computer would ever
> meet a trojan horse, that data will be off limit, unless I would happen to
> be using it in very bad timing.
> Having a Fedora 12 (kernel 2.6.32 for now), the immediate solution is to
> create a large empty file, mount it as a loop device, and create an
> encrypted disk on it. When I don't use the data, I simply close the
> encryption, and all is safe and sound.
> The only thing that worries me, is that the disk itself is a RAID-5 (three
> disks) with the whole thing encrypted (that is, the whole of /dev/md0, which
> is why I don't have any unencrypted space left) and then we have LVM over
> that. So if I pull my stunt, there will be five layers of munching between
> real data and what is written on the hardware disk. Including encrypting
> twice.
> In a theoretical world, one can stack layers without worrying about
> anything. In a real world, there are sometimes bugs, which show up in exotic
> situations.
> I have no problem with some possible slowdown. I only wonder, if I'm not
> pushing my luck.
> So what do you say? Would you feel safe to stack one encryption on another?
> Is it correct to assume that each layer works independently, and therefore
> it doesn't matter how much I stack up?
> Thanks in advance,
>     Eli
> --
> Web: http://www.billauer.co.il
> _______________________________________________
> Haifux mailing list
> Haifux at haifux.org
> http://hamakor.org.il/cgi-bin/mailman/listinfo/haifux

Orr Dunkelman,
Orr.Dunkelman at gmail.com

GPG fingerprint: C2D5 C6D6 9A24 9A95 C5B3  2023 6CAB 4A7C B73F D0AA
(This key will never sign Emails, only other PGP keys. The key
corresponds to orrd at vipe.technion.ac.il)

More information about the Haifux mailing list