From: Milan Broz <gmazyland@gmail.com>
To: Ingo Franzki <ifranzki@linux.ibm.com>, dm-crypt@saout.de
Subject: Re: [dm-crypt] How to get PBKDF settings of an existing key slot via libcryptsetup ?
Date: Mon, 4 Feb 2019 14:22:33 +0100 [thread overview]
Message-ID: <dcba28fe-461c-3998-fe79-0a833ea5a5ed@gmail.com> (raw)
In-Reply-To: <a0c18371-8776-0e43-d31c-8e1acb414506@linux.ibm.com>
Hi Ingo,
On 31/01/2019 11:14, Ingo Franzki wrote:
> Hi,
>
> is there a way to get the PBKDF settings (struct crypt_pbkdf_type) of an existing key slot in a LUKS2 volume via the libcryptsetup API?
Not yet, but see below.
>
> This question is related to the default PBKDF algorithm Argon2i for LUKS2 and the out-of-memory errors that you might get when you unlock multiple LUKS2 volumes during system startup via /etc/crypttab.
>
> One of my application uses crypt_keyslot_add_by_key() to add a new unbound key slot. Unfortunately this new key slot gets the default PBKDF settings, thus it gets Argon2i. I guess if I would use crypt_set_pbkdf_type() before to set PBKDF2, then the new key slot would get PBKDF2 instead of Argon2i. However, I don't want to hard code PBKDF2 here, but I would like to use the PBKDF settings of the key slot that was unlocked before. So I would need a way to get the PBKDF settings of a key slot and then use crypt_set_pbkdf_type() with those settings before calling crypt_keyslot_add_by_key(). That way the new key slot would get the same PBKDF settings as the current one.
>
> Using crypt_get_pbkdf_type() seems to return the default PBKDF algorithm, thus Argon2i for LUKS2.
Yes, you describe exactly how I intended to use it. (I guess your use key is s390 crypto, so PBKDF2 ok, because it is wrapped key for crypto accelerator,
without the hw attacker cannot run offline attacks here.)
But since we can now get per-keyslot encryption in LUKS2 through API, there should be also way how to get specific keyslot PBKDF setting (and not only the default).
It should be relatively simple, so I tried to add such a call - it something like this what you need?
https://gitlab.com/cryptsetup/cryptsetup/commit/8c3be56418248ef5b96265f901122effa88e446b
Thanks,
Milan
next prev parent reply other threads:[~2019-02-04 13:22 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-31 10:14 [dm-crypt] How to get PBKDF settings of an existing key slot via libcryptsetup ? Ingo Franzki
2019-02-04 13:22 ` Milan Broz [this message]
2019-02-04 13:44 ` Ingo Franzki
2019-02-04 15:15 ` Ingo Franzki
2019-02-04 17:47 ` Milan Broz
2019-02-14 9:28 ` Ingo Franzki
2019-02-15 12:12 ` Milan Broz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dcba28fe-461c-3998-fe79-0a833ea5a5ed@gmail.com \
--to=gmazyland@gmail.com \
--cc=dm-crypt@saout.de \
--cc=ifranzki@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.