Does cryptsetup "Plain mode" store the hashed passphrase in each sector?

Sandra asked:

When I read the manpage for cryptsetup on Linux about “Plain mode” it says:

Plain dm-crypt encrypts the device sector-by-sector with a single,
non-salted hash of the passphrase.

and the -c option says:

--cipher, -c <cipher-spec>
   Set the cipher specification string.

   cryptsetup  --help shows the compiled-in defaults.  The current default in the distribā€
   uted sources is "aes-cbc-essiv:sha256" for both plain dm-crypt and LUKS.

Question

Does aes-cbc-essiv:sha256 mean that for each sector of my harddrive a sha256 hash of the passphrase is also stored in the sector?

If that is the case: What is the purpose of storing the hashed passphrase so many times?

My answer:


You quoted part of the man page – out of context.

Let’s look at it in context:

Plain dm-crypt encrypts the device sector-by-sector with a single, non-salted hash of the passphrase. No checks are performed, no metadata is used. There is no formatting operation.

Nothing but the encrypted data is stored when using plain dm-crypt.

P.S. Don’t use plain dm-crypt. The reasons why are at the very top of the same man page.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.