My notes on making encrypted filesystems "Just Work(tm)"

David Zeuthen david at
Wed Dec 15 10:44:07 PST 2004

On Tue, 2004-12-14 at 11:31 +0100, Martin Pitt wrote:
> Hi!
> David Zeuthen [2004-12-12 21:47 -0500]:
> > [1] : Here follows what metadata is stored on the actual block device
> > that is encrypted; for this to work there must be at least 512 bytes (or 
> > something) somewhere well known on the block device that we can overwrite
> > with a guarantee that the filesystem will still work. It also requires the
> > encryption to be a block-based cipher as we will overwrite the portions
> > of the crypted block device.
> > 
> > This is true for ext3 as the first 1024 bytes are not used (superblock 
> > is at offset 0x0400).
> BTW, I think it is a bad idea to rely on unused portions of the file
> system. Not all file systems leave the first block unused (like XFS)
> and in the future we might see new important file systems or changes
> to existing ones.
> I think the sanest approach really is to reserve some space
> exclusively for metadata and start the dm device at some offset.

We should support both, yes.


hal mailing list
hal at

More information about the Hal mailing list