Does cryptsetup "Plain mode" store the hashed passphrase in each sector?

Sandra asked:

When I read the manpage for cryptsetup on Linux about “Plain mode” it says:

Plain dm-crypt encrypts the device sector-by-sector with a single,
non-salted hash of the passphrase.

and the -c option says:

--cipher, -c <cipher-spec>
   Set the cipher specification string.

   cryptsetup  --help shows the compiled-in defaults.  The current default in the distribā€
   uted sources is "aes-cbc-essiv:sha256" for both plain dm-crypt and LUKS.

Question

Does aes-cbc-essiv:sha256 mean that for each sector of my harddrive a sha256 hash of the passphrase is also stored in the sector?

If that is the case: What is the purpose of storing the hashed passphrase so many times?

My answer:


You quoted part of the man page – out of context.

Let’s look at it in context:

Plain dm-crypt encrypts the device sector-by-sector with a single, non-salted hash of the passphrase. No checks are performed, no metadata is used. There is no formatting operation.

Nothing but the encrypted data is stored when using plain dm-crypt.

P.S. Don’t use plain dm-crypt. The reasons why are at the very top of the same man page.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.