Re: [dm-crypt] FAQ rework for LUKS2: First pass done

[Arno Wagner <arno@wagner.name>]

Hi JT,

thanks, that is definitely helpful.
Streamlined a bit and added as Item 10.9

Regards,
Arno
 


On Mon, Apr 27, 2020 at 16:37:22 CEST, JT Morée wrote:
> New additions to FAQ are great.  Thank you Arno.
> 
> These are the questions I asked on this list within the last few months that I have answers for (thank you all).  My other questions are not yet researched/answered.  Most of them I sent in a previous email.  will send again as finished or on request.  Feel free to add if it seems useful. I don't need attribution as you guys did all the work.
> -------------------------------------------
> 
> Q: what is an unbound keyslot?
> 
> A: Quite simply, an 'unbound key' is an independent 'key' stored in a luks2 keyslot that cannot be used to unlock LUKS2 data device.
> 
> More specifically, an 'unbound key' or 'unbound luks2 keyslot' contains a secret stored in LUKS2 keyslot that is not currently associated with any data segment (crypt segment) in
> LUKS2 'Segments' section.
> 
> Q: What is an unbound keyslot used for?
> 
> A: What dm-crypt uses it for as of April 2020:
> 
> 1) LUKS2 reencryption. Future/new volume key is stored in an unbound
> keyslot and it becomes a regular LUKS2 keyslot later when it is used to
> actually decrypt/encrypt some crypt segment.
> 
> 2) Similar use case as 1) is used with wrapped key scheme (used
> with e.g. paes cipher). The VK stored in keyslot is in fact binary blob
> (encrypted again). The KEK for that binary blob may be refreshed (KEK in
> this case is not managed by cryptsetup!) and binary blob gets changed.
> For the KEK refresh process 'unbound keyslot' is used. First you store
> future effective VK in unbound keyslot and later it gets enforced to
> become new real VK (bound to current dm-crypt segment).
> 
> 
> JT
> 
> 
> 
> 
> 
> 
> On Sunday, April 26, 2020, 9:35:08 AM MST, Arno Wagner <arno@wagner.name> wrote: 
> 
> 
> 
> 
> 
> Hi all,
> 
> I just finished the firsy pass through the FAQ to adapt it for LUKS2.
> In particular I did the following:
> 
> - Clearly state LUKS1 or LUKS2 for things that do not apply to both
> - Still uses "LUKS" when both LUKS1 or LUKS2 are affected
> - Added references for LUKS2 header spec
> - Added specific instructions for LUKS2 where needed
> - Added a (currently pretty short) LUKS2 section
> 
> If some of you find the time to read through it and let me know
> about any errors or omissions, I would apprecitate it.
> 
> Also, if you have any suggestions for Section 10 (LUKS2 Questions),
> or mabybe even a small item to add, I would appreciate that as
> well. In particular, the LUKS2 section would benefit from some
> mini-HOWTOs, I think.
> 
> As usual, the FAQ is found at 
>   https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions
> 
> I did update the version in the sources as well, but that may take a while
> to propagate.
> 
> Regards,
> Arno
> 
> 
> -- 
> Arno Wagner,    Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
> 
> If it's in the news, don't worry about it.  The very definition of 
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier