From 39bfce25f8f64bf7f450e345a4b8700702064769 Mon Sep 17 00:00:00 2001 From: Jaromil Date: Sun, 12 Jan 2014 23:32:23 +0100 Subject: [PATCH] Change default cipher specification new default is "aes-xts-plain64:sha256" manpage now includes note on how to tune it fixes #102 --- doc/tomb.1 | 6 ++++-- tomb | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/doc/tomb.1 b/doc/tomb.1 index 07cbe61..1d94681 100644 --- a/doc/tomb.1 +++ b/doc/tomb.1 @@ -54,8 +54,10 @@ Initializes and locks an empty tomb (made with \fIdig\fR) using a key (made with \fIforge\fR), making it ready for usage. After this operation, the tomb can only be open in possession of the key and knowing its password. As in any other command requiring a key, the -option \fI-k\fR should be used to specify a key file. This operation -requires root privileges to loopback mount, format the tomb (using +option \fI-k\fR should be used to specify a key file. The \fI-o\fR +option can be used to specify the cipher specification: default is +"aes-xts-plain64:sha256", old versions of Tomb used "aes-cbc-essiv:sha256". +This operation requires root privileges to loopback mount, format the tomb (using LUKS and Ext4), then set the key in its first LUKS slot. .B diff --git a/tomb b/tomb index 948c427..36cb006 100755 --- a/tomb +++ b/tomb @@ -1154,7 +1154,9 @@ lock_tomb_with_key() { if option_is_set -o; then cipher="`option_value -o`" else - cipher="aes-cbc-essiv:sha256" + cipher="aes-xts-plain64:sha256" + # old default was aes-cbc-essiv:sha256 + # for more alternatives refer to cryptsetup(8) fi _message "locking using cipher: $cipher"