Re: [dm-crypt] Disadvantages of many temporary keys?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Disadvantages of many temporary keys?
Date: Sat, 28 Oct 2017 06:39:35 +0200	[thread overview]
Message-ID: <20171028043935.GA2115@tansi.org> (raw)
In-Reply-To: <ot0mnr$mn5$1@blaine.gmane.org>

On Sat, Oct 28, 2017 at 03:32:50 CEST, Robert Nichols wrote:
[...]
> But, removal of that temporary key is not as secure as you might think. 
> Anyone (or any bot) that had an opportunity to make a copy of the LUKS
> header while that key was installed can always use that header, together
> with that "temporary" key, to unlock the container.  "LUKS with detached
> header" would be the most straightforward way, but the master key could
> also be constructed from that header + key and used directly with
> cryptsetup to access the container's contents.

As always, the fact of thematter is that an attacker that has 
access to the decrypted container can get everything, including 
all data in there. But said attacker could also replace the
cryptsetup binary, the kernel, etc. so it is somthing to be 
aware of, not something to fix. 

Regards,
Arno

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

next prev parent reply	other threads:[~2017-10-28  4:49 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-28  1:09 [dm-crypt] Disadvantages of many temporary keys? L. Rose
2017-10-28  1:32 ` Robert Nichols
2017-10-28  4:39   ` Arno Wagner [this message]
2017-10-28 10:14     ` Claudio Moretti

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171028043935.GA2115@tansi.org \
    --to=arno@wagner.name \
    --cc=dm-crypt@saout.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.