Tails

Please creat a LUKS format disk, insert another U-disk(etc.) to your computer. In 1.1~beta1: AccessoriesDisk Utility>click your U-disk on the leftFormat drive,Format,Format>Creat Partitionchoose FAT>Encrypt underlying deviceCreat>input password->Creat. Now a LUKS format partition is created.

This partition can be open in Windows by FreeOTFE: FileLinux volume>Mount partitionDon’t click Entire disk, just click the partition on the picture, Ok>input your password, now you can decrypt the LUKS volume created in Tails.

I backup the CBD of LUKS patitions created by tails-i386-1.0.1 and tails-i386-1.1~beta1, this operation don’t need password. Both CBD indicate the security information of the partition in plain text without encryption.

“LUKS aes cbc-essiv:sha256 sha1… following encrypted user password and encrypted master key(never change)”

It’s obviously a big security hole, so TrueCrypt encrypt its CBD to remove any tag, and FreeOTFE not only encrypt its CBD but also hide CBD by setting OFFSET value which user had setup when creating the partition.

Cryptsetup don’t hide its basic security information. If you choose cryptsetup, I hope you could provide more options when creating a secure partition or volume, algorithm AES-CBC-ESSIV is not secure enough, AES-XTS would be better. Cryptsetup has options like: —hash, —cipher, —verify-passphrase, —key-file, —key-size, —offset, —skip, —readonly.
Hidden partition created by offset and without any tag is the trend of security. To gain maximum security, a FreeOTFE like software is preferd.

The following is the CBD of the partitions created by Tails.

cryptsetup Style Dump of encrypted partition created in tails-i386-1.1~beta1
——————————-
LUKS header information for \Device\Harddisk3\Partition1

Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: bf 54 8e 3e cb a2 6d 73 80 58 6c fb 6a 5b 82 5a 8e 8d db bc
MK salt: 74 1c a2 a6 14 da d9 e1 36 93 30 24 83 ec dc 68
b7 f5 79 01 90 31 73 15 d8 c3 47 c6 81 11 1b 81
MK iterations: 25500
UUID: 6e494f9d-dbeb-4ba1-baf0-ef6e158793e4

Key Slot 0: ENABLED
Iterations: 102056
Salt: 75 71 8f c1 27 99 86 7e 14 9b 3f d7 95 ec ca be
7a ee 17 0a f3 7a 44 23 4b 29 0c 34 39 fc 6b c3
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Master Key
—————
User supplied password : test
Password unlocks key slot: 0
Recovered master key :
00000000 | 67 BE FE 89 43 98 37 DF | g…C.7.
00000008 | 3A E8 91 DF 1E 7C AB 89 | :….|..
00000010 | 0F 2A 9F CC 59 3C 30 98 | .*..Y<0.
00000018 | 57 37 5E 02 84 E3 0A E2 | W7^…..

cryptsetup Style Dump of encrypted partition created in tails-i386-1.0.1
——————————-
LUKS header information for \Device\Harddisk3\Partition1

Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 2056
MK bits: 256
MK digest: 1d 5f 54 cd ce 46 59 8e 1c 56 3b 1e 6b cd f6 42 2e df e4 db
MK salt: b8 b8 d9 06 57 d9 7d 92 fc 82 e0 b7 d6 25 81 46
fa ce 4b 70 62 d8 0f 3d 3a 3e 4b ec f8 6e fc 27
MK iterations: 20500
UUID: 99a86cfc-401d-451f-98a5-922140b4ebb9

Key Slot 0: ENABLED
Iterations: 82414
Salt: 39 ed c7 4e 86 65 e5 a7 cd 18 e6 01 37 4a 6e c8
fb 4c 62 94 fb c3 e9 f3 32 13 2c 3a e1 de 3d 70
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Master Key
—————
User supplied password : test2
Password unlocks key slot: 0
Recovered master key :
00000000 | D8 BF 1B 82 75 DD D4 BF | ….u…
00000008 | 01 78 78 E5 12 DB 87 91 | .xx…..
00000010 | 64 4A 25 34 B1 4E FE 9B | dJ%4.N..
00000018 | 22 B5 08 9A A1 D1 33 12 | "…..3.