Re: [dm-crypt] LUKS self-destruct key

From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] LUKS self-destruct key
Date: Mon, 31 Mar 2014 11:35:44 +0200	[thread overview]
Message-ID: <20140331093544.GA20826@tansi.org> (raw)
In-Reply-To: <20140331071730.74571bd4@burger.lunch.za.net>

This has been discussed here several times, please search 
the mailing-list archives and read FAQ Item 5.21. 

The current take is that it makes no sense security-wise.
In fact, the possibility does more harm than good. This
is not "Mission: Impossible", this is the real world.

The only thing found to make some sense is to have an
explicite "erase/luksErase" command that does not take a 
password. cryptsetup has this since version 1.6.4.

Arno

On Mon, Mar 31, 2014 at 07:17:30 CEST, Andrew wrote:
> Greetings dm-crypt folks,
> 
> Is it feasable to add a self-destruct password to cryptsetup for LUKS,
> such that when this password is entered, the decryption code silently and
> deliberately overwrites all or part of the master key?
> 
> If you are facing an unjust order to produce a working key, having the
> option to produce a self-destruct key would be helpful in some
> circumstances.  There are a number of ham-fisted regimes and illegal
> groups that do not know the difference between decrypting data and running
> untrusted code.  Destroying the master key would look to these like a
> simple failed attempt at decryption, and ensure the permanenty destruction
> of the data that they are seeking.
> 
>  + Give us your key
>  - I don't remember it
>  + Give Us Your Key
>  - I really don't remember it
>  + GIVE US YOUR KEY
>  - I think it's "INITIATE-SELF-DESTRUCT-SEQUENCE" but I'm not sure
>  + That didn't work
>  - I told you I don't remember
> 
> 
> In pseudocode, the decryption would become something like this (based on
> my probably faulty understanding of LUKS):
> 
>     evaluate_password_for_slot(slot) {
> 	slot_plaintext=decrypt(slot_ciphertext, password);
> 	/* initiate self_destruct */
> 	if memcmp(slot_plaintext,SELF_DESTRUCT_PLAINTEXT,sizeof(SELF_DESTRUCT_PLAINTEXT))==0)
> 		wipe_master_key();
> 		wipe_key_slots();
> 	}
> 	/* self_destruct complete */
> 	master_key = decrypt(master_ciphertext, slot_key);
> 	if this_is_a_valid_master_key(master_key) { return E_SUCCESS; }
> 	return E_FAIL;
>     }
> 
> Code changes would include:
> 	Not considering a self-destruct key as a valid remaining key in luksKillSlot
> 	Front-end code to create a slot as a self-destruct key
> 	Back-end code to destroy the master key
> 	s/SELF_DESTRUCT/ESCROW/g  /* :) */
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato