[dm-crypt] distributing a linux disk crypted with dm-crypt

[dm-crypt] distributing a linux disk crypted with dm-crypt

[octane indice]

Hello

For a project I have to make a linux distro available as a Vmware Appliance.

It's a project where this linux will store confidential data.

As of using Vmware, it means that everybody which has access to the
datastore of Vmware could load the disk image, then read it. Which would
lead to a major privacy breach. I want to avoid it.

So, I think I will use disk encryption.

But then raise a problem:
dm-crypt uses two sort of key: Users-key (8) and crypto-key (1)
The users key open the disk. Those keys are not a problem and could be
changed easily (thanks to Luks extension)

But every people I give the appliance will have the crypto key which crypt
and decrypt data. So, as a security point of view, it's not acceptable. I
can imagine a people using the appliance, get the crypto key, get another
disk, and use it on that disk.

So my question is: Is there a way to change the crypto-key? 
(Which would involve a complete re-encryption of disk, but it's not a
problem, because it would happen once at first boot only).

I hope I was clear (english is not my native language).

Thank you for help

Le plaisir de la dermato cosmétique naturelle http://www.terrahumana.fr

Re: [dm-crypt] distributing a linux disk crypted with dm-crypt

[Heinz Diehl]

At Wed, 19 Aug 2009 16:54:24 +0200,
octane indice wrote:

> But every people I give the appliance will have the crypto key which crypt
> and decrypt data. So, as a security point of view, it's not acceptable.

I'm not shure at all if I understand correctly what you have in mind, but
to unlock a LUKS/dmcrypt partition, you have to provide the correct passphrase/keyfile.
If you do not, there is no way other than bruteforcing it or an attack towards the
encryption itself. The master key itself stays fully encrypted.

You can read more here:
http://cryptsetup.googlecode.com/svn-history/r42/wiki/LUKS-standard/on-disk-format.pdf

Re: [dm-crypt] distributing a linux disk crypted with dm-crypt

[Sam]

I believe his point is that if he creates a linux installation inside a VMWare 
vm, and luksFormats the drive image from within the image, then once he has 
installed everything on that image, that when he is done and now wishes to 
send that vmware image to others, they will all have the same key. Even if 
they change their passphrase, that is just encrypting the same key 
differently. Then anyone person can decrpt anyone else's image, as the keys 
are all the same. He does not need the other persons passphrase to decode the 
key passed to the cypher, as his vmware image, he knows the key to, and has 
the same underlying key that is passed to the cypher.

I am guessing the answer is no, that luks/cryptsetup/dmsetup does not support 
switching the key used by the cypher. There are probably no tools to do this.

What you could do is have your startup scripts in the image, on bootup, create 
a new filesystem on top of a newly luksFormatted image, and then copy 
everything to there. 

Sam

> At Wed, 19 Aug 2009 16:54:24 +0200,
> 
> octane indice wrote:
> > But every people I give the appliance will have the crypto key which
> > crypt and decrypt data. So, as a security point of view, it's not
> > acceptable.
> 
> I'm not shure at all if I understand correctly what you have in mind, but
> to unlock a LUKS/dmcrypt partition, you have to provide the correct
>  passphrase/keyfile. If you do not, there is no way other than bruteforcing
>  it or an attack towards the encryption itself. The master key itself stays
>  fully encrypted.
> 
> You can read more here:
> http://cryptsetup.googlecode.com/svn-history/r42/wiki/LUKS-standard/on-disk
> -format.pdf
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

Re: [dm-crypt] distributing a linux disk crypted with dm-crypt

[Moji]

Octane,

Sorry if this is not an answer to your question but I do not follow 100%.

As you know luks doesn't change the master key it only encrypts copies
of that key.
In order to decrypt anything the key needs to be pulled to RAM, someone
who has the ability to decrypt the master key could then retrieve it
from RAM.

As far as I know the only way to change that master key with cryptsetup
is to re-encrypt the entire disk.

-MJ

octane indice wrote:
> Hello
> 
> For a project I have to make a linux distro available as a Vmware Appliance.
> 
> It's a project where this linux will store confidential data.
> 
> As of using Vmware, it means that everybody which has access to the
> datastore of Vmware could load the disk image, then read it. Which would
> lead to a major privacy breach. I want to avoid it.
> 
> So, I think I will use disk encryption.
> 
> But then raise a problem:
> dm-crypt uses two sort of key: Users-key (8) and crypto-key (1)
> The users key open the disk. Those keys are not a problem and could be
> changed easily (thanks to Luks extension)
> 
> But every people I give the appliance will have the crypto key which crypt
> and decrypt data. So, as a security point of view, it's not acceptable. I
> can imagine a people using the appliance, get the crypto key, get another
> disk, and use it on that disk.
> 
> So my question is: Is there a way to change the crypto-key? 
> (Which would involve a complete re-encryption of disk, but it's not a
> problem, because it would happen once at first boot only).
> 
> I hope I was clear (english is not my native language).
> 
> Thank you for help
> 
> Le plaisir de la dermato cosmétique naturelle http://www.terrahumana.fr
> 
> 
> 
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

Re: [dm-crypt] distributing a linux disk crypted with dm-crypt

[octane indice]

En réponse à Sam <test532@codingninjas.org> :
> 
> I believe his point is that if he creates a linux installation
> inside a VMWare vm, and luksFormats the drive image
> from within the image, then once he has installed 
> everything on that image, that when he is done and
> now wishes to send that vmware image to others, they
> will all have the same key. Even if they change their
> passphrase, that is just encrypting the same key 
> differently. Then anyone person can decrpt anyone else's
> image, as the keys are all the same.

Yes, exactly.

> He does not need the other persons passphrase to
> decode the key passed to the cypher, as his vmware
> image, he knows the key to, and has the same
> underlying key that is passed to the cypher.
>
Yes that's the problem I'm trying to avoid.
 
> I am guessing the answer is no, that
> luks/cryptsetup/dmsetup does not support 
> switching the key used by the cypher. There
> are probably no tools to do this.
> 
Ok. It's just a technical impossibility, or it's
just because nobody has tried to do it, or it's
pointless?

> What you could do is have your startup scripts
> in the image, on bootup, create 
> a new filesystem on top of a newly
> luksFormatted image, and
> then copy everything to there. 
> 
Ok, I will do something like that if there
is no other possibility.

Thank you and all others.

> _______________________________________________
> ------------------- Fin du message d'origine ---------------------




Le plaisir de la dermato cosmétique naturelle http://www.terrahumana.fr