From: Sam <test532@codingninjas.org>
To: dm-crypt@saout.de
Cc: Heinz Diehl <htd@fancy-poultry.org>
Subject: Re: [dm-crypt] distributing a linux disk crypted with dm-crypt
Date: Wed, 19 Aug 2009 12:00:04 -0400 [thread overview]
Message-ID: <200908191200.04578.test532@codingninjas.org> (raw)
In-Reply-To: <87tz03lsid.wl%htd@fancy-poultry.org>
I believe his point is that if he creates a linux installation inside a VMWare
vm, and luksFormats the drive image from within the image, then once he has
installed everything on that image, that when he is done and now wishes to
send that vmware image to others, they will all have the same key. Even if
they change their passphrase, that is just encrypting the same key
differently. Then anyone person can decrpt anyone else's image, as the keys
are all the same. He does not need the other persons passphrase to decode the
key passed to the cypher, as his vmware image, he knows the key to, and has
the same underlying key that is passed to the cypher.
I am guessing the answer is no, that luks/cryptsetup/dmsetup does not support
switching the key used by the cypher. There are probably no tools to do this.
What you could do is have your startup scripts in the image, on bootup, create
a new filesystem on top of a newly luksFormatted image, and then copy
everything to there.
Sam
> At Wed, 19 Aug 2009 16:54:24 +0200,
>
> octane indice wrote:
> > But every people I give the appliance will have the crypto key which
> > crypt and decrypt data. So, as a security point of view, it's not
> > acceptable.
>
> I'm not shure at all if I understand correctly what you have in mind, but
> to unlock a LUKS/dmcrypt partition, you have to provide the correct
> passphrase/keyfile. If you do not, there is no way other than bruteforcing
> it or an attack towards the encryption itself. The master key itself stays
> fully encrypted.
>
> You can read more here:
> http://cryptsetup.googlecode.com/svn-history/r42/wiki/LUKS-standard/on-disk
> -format.pdf
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
next prev parent reply other threads:[~2009-08-19 16:01 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-19 14:54 [dm-crypt] distributing a linux disk crypted with dm-crypt octane indice
2009-08-19 15:42 ` Heinz Diehl
2009-08-19 16:00 ` Sam [this message]
2009-08-20 10:27 ` octane indice
2009-08-19 16:08 ` Moji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200908191200.04578.test532@codingninjas.org \
--to=test532@codingninjas.org \
--cc=dm-crypt@saout.de \
--cc=htd@fancy-poultry.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.