From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <arno@wagner.name>
Received: from v1.tansi.org (mail.tansi.org [84.19.178.47])
 by mail.server123.net (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Tue, 28 Apr 2020 15:30:23 +0200 (CEST)
Received: from gatewagner.dyndns.org (81-6-44-245.init7.net [81.6.44.245])
 by v1.tansi.org (Postfix) with ESMTPA id A028C140060
 for <dm-crypt@saout.de>; Tue, 28 Apr 2020 15:30:22 +0200 (CEST)
Date: Tue, 28 Apr 2020 15:30:22 +0200
From: Arno Wagner <arno@wagner.name>
Message-ID: <20200428133022.GA28848@tansi.org>
References: <111354031.932645.1587998242849.ref@mail.yahoo.com>
 <111354031.932645.1587998242849@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <111354031.932645.1587998242849@mail.yahoo.com>
Subject: Re: [dm-crypt] FAQ rework for LUKS2: First pass done
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <https://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <https://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <https://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

Hi JT,

thanks, that is definitely helpful.
Streamlined a bit and added as Item 10.9

Regards,
Arno
=20


On Mon, Apr 27, 2020 at 16:37:22 CEST, JT Mor=E9e wrote:
> New additions to FAQ are great.=A0 Thank you Arno.
>=20
> These are the questions I asked on this list within the last few months t=
hat I have answers for (thank you all).=A0 My other questions are not yet r=
esearched/answered.=A0 Most of them I sent in a previous email.=A0 will sen=
d again as finished or on request.=A0 Feel free to add if it seems useful. =
I don't need attribution as you guys did all the work.
> -------------------------------------------
>=20
> Q: what is an unbound keyslot?
>=20
> A: Quite simply, an 'unbound key' is an independent 'key' stored in a luk=
s2 keyslot that cannot be used to unlock LUKS2 data device.
>=20
> More specifically, an 'unbound key' or 'unbound luks2 keyslot' contains a=
 secret stored in LUKS2 keyslot that is not currently associated with any d=
ata segment (crypt segment) in
> LUKS2 'Segments' section.
>=20
> Q: What is an unbound keyslot used for?
>=20
> A: What dm-crypt uses it for as of April 2020:
>=20
> 1) LUKS2 reencryption. Future/new volume key is stored in an unbound
> keyslot and it becomes a regular LUKS2 keyslot later when it is used to
> actually decrypt/encrypt some crypt segment.
>=20
> 2) Similar use case as 1) is used with wrapped key scheme (used
> with e.g. paes cipher). The VK stored in keyslot is in fact binary blob
> (encrypted again). The KEK for that binary blob may be refreshed (KEK in
> this case is not managed by cryptsetup!) and binary blob gets changed.
> For the KEK refresh process 'unbound keyslot' is used. First you store
> future effective VK in unbound keyslot and later it gets enforced to
> become new real VK (bound to current dm-crypt segment).
>=20
>=20
> JT
>=20
>=20
>=20
>=20
>=20
>=20
> On Sunday, April 26, 2020, 9:35:08 AM MST, Arno Wagner <arno@wagner.name>=
 wrote:=20
>=20
>=20
>=20
>=20
>=20
> Hi all,
>=20
> I just finished the firsy pass through the FAQ to adapt it for LUKS2.
> In particular I did the following:
>=20
> - Clearly state LUKS1 or LUKS2 for things that do not apply to both
> - Still uses "LUKS" when both LUKS1 or LUKS2 are affected
> - Added references for LUKS2 header spec
> - Added specific instructions for LUKS2 where needed
> - Added a (currently pretty short) LUKS2 section
>=20
> If some of you find the time to read through it and let me know
> about any errors or omissions, I would apprecitate it.
>=20
> Also, if you have any suggestions for Section 10 (LUKS2 Questions),
> or mabybe even a small item to add, I would appreciate that as
> well. In particular, the LUKS2 section would benefit from some
> mini-HOWTOs, I think.
>=20
> As usual, the FAQ is found at=20
> =A0 https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuest=
ions
>=20
> I did update the version in the sources as well, but that may take a while
> to propagate.
>=20
> Regards,
> Arno
>=20
>=20
> --=20
> Arno Wagner,=A0 =A0 Dr. sc. techn., Dipl. Inform.,=A0 =A0 Email: arno@wag=
ner.name
> GnuPG: ID: CB5D9718=A0 FP: 12D6 C03B 1B30 33BB 13CF=A0 B774 E35C 5FA1 CB5=
D 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
>=20
> If it's in the news, don't worry about it.=A0 The very definition of=20
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt

--=20
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of=20
"news" is "something that hardly ever happens." -- Bruce Schneier