[dm-crypt] How to increase key size of existing volume

[dm-crypt] How to increase key size of existing volume

[Erik Logtenberg]

Dear list,

I have been using luks for quite some time, and as a result I have
several luks volumes in use that are still based on 128 bits key sizes.
Current default in Fedora is already upped to 256 bits and RSA even
advices key sizes of 1024 or even 2048 for highly secure stuff.

So, how do I increase the key size? In man cryptsetup I see that the
--key-size option only applies to the create, luksFormat and loopaesOpen
commands. Is there any way I can make this happen?

Thanks,

Erik Logtenberg.

Re: [dm-crypt] How to increase key size of existing volume

[Arno Wagner]

On Tue, Dec 11, 2012 at 03:46:19PM +0100, Erik Logtenberg wrote:
> Dear list,
> 
> I have been using luks for quite some time, and as a result I have
> several luks volumes in use that are still based on 128 bits key sizes.
> Current default in Fedora is already upped to 256 bits and RSA even
> advices key sizes of 1024 or even 2048 for highly secure stuff.

You are confusing symmetric and assymetric keys here. 2048 bit
asymmetric is (very roughly) equivalent to 128 bit symmetric.

Have a look here for currently recomended key sizes:

  http://www.keylength.com/

There is no idication that anybody can break 128 but AES
at this time or in the next few decades. Your passphrase
has likely a lot less entropy anyways and is the better
target. 
 
> So, how do I increase the key size? In man cryptsetup I see that the
> --key-size option only applies to the create, luksFormat and loopaesOpen
> commands. Is there any way I can make this happen?

It is unnecessary. If you really want to, use your normal
backup procedure, recreate a new LUKS volume and restore
(you do have backup, right?). 

There is also a re-encryption in place tool by Milan, but that is 
experimental and definitely requires a current backup.
It is called "cryptsetup-reencrypt" and part of the source package
as of version 1.5.0 (current version is 1.5.1).

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell

Re: [dm-crypt] How to increase key size of existing volume

[Erik Logtenberg]

Hi Arno,

Thanks for your explanation. It is good to know that the 128 bit
symmetric encryption key is still considered okay to some extent.

I did try the keylength site, and if I want my volume to be secure until
roughly a decade after my projected demise, say 2100, then the adviced
symmetric key size is already 135, 147 or 256 depending on the used
method. So it'd still be somewhat better to increase the current 128 a bit.

> (you do have backup, right?).

Actually I am talking about my backup volume. And as such, it is quite a
bit of data, that I don't have a (second) backup of. Neither do I have
enough storage available to make an additional backup, nor the required
amount of time, since a full copy/restore of such a volume would take weeks.

In fact, there seems to be a second use case for re-encrypting an
existing volume. I read some articles explaining the possibility to use
the luksDump command in conjunction with the --dump-master-key option on
a mounted luks volume, to reset the password even if the current
password is no longer known.
Additionally, also the luksHeaderBackup command is available to extract
the master key.

So there are at least two methods of extracting a master key. Now if I
would suspect that a machine, that has a luks volume mounted, was
compromised to the extent that someone had temporaryly gained root
access, I would not only have to reset (all) passwords after fixing the
security hole, but also I would have to create a new master key to be sure.

Is the cryptsetup-reencrypt tool also meant for that purpose?

Thanks,

Erik.


On 12/11/2012 04:09 PM, Arno Wagner wrote:
> On Tue, Dec 11, 2012 at 03:46:19PM +0100, Erik Logtenberg wrote:
>> Dear list,
>>
>> I have been using luks for quite some time, and as a result I have
>> several luks volumes in use that are still based on 128 bits key sizes.
>> Current default in Fedora is already upped to 256 bits and RSA even
>> advices key sizes of 1024 or even 2048 for highly secure stuff.
> 
> You are confusing symmetric and assymetric keys here. 2048 bit
> asymmetric is (very roughly) equivalent to 128 bit symmetric.
> 
> Have a look here for currently recomended key sizes:
> 
>   http://www.keylength.com/
> 
> There is no idication that anybody can break 128 but AES
> at this time or in the next few decades. Your passphrase
> has likely a lot less entropy anyways and is the better
> target. 
>  
>> So, how do I increase the key size? In man cryptsetup I see that the
>> --key-size option only applies to the create, luksFormat and loopaesOpen
>> commands. Is there any way I can make this happen?
> 
> It is unnecessary. If you really want to, use your normal
> backup procedure, recreate a new LUKS volume and restore
> (you do have backup, right?). 
> 
> There is also a re-encryption in place tool by Milan, but that is 
> experimental and definitely requires a current backup.
> It is called "cryptsetup-reencrypt" and part of the source package
> as of version 1.5.0 (current version is 1.5.1).
> 
> Arno
> 

Re: [dm-crypt] How to increase key size of existing volume

[Milan Broz]

On 12/11/2012 04:34 PM, Erik Logtenberg wrote:
> So there are at least two methods of extracting a master key. Now if I
> would suspect that a machine, that has a luks volume mounted, was
> compromised to the extent that someone had temporaryly gained root
> access, I would not only have to reset (all) passwords after fixing the
> security hole, but also I would have to create a new master key to be sure.

So attacker had already access to your mounted backup in plaintext
and could change anything there.

> 
> Is the cryptsetup-reencrypt tool also meant for that purpose?

yes, in fact changing volume (master) key was primary use for it.

Read http://asalor.blogspot.cz/2012/08/re-encryption-of-luks-device-cryptsetup.html

(But always be sure you have backup. Backup of backup in your case :)

Milan

Re: [dm-crypt] How to increase key size of existing volume

[Arno Wagner]

On Tue, Dec 11, 2012 at 04:34:40PM +0100, Erik Logtenberg wrote:
> Hi Arno,
> 
> Thanks for your explanation. 

You are welcome.

> It is good to know that the 128 bit
> symmetric encryption key is still considered okay to some extent.

Until AES gets (real-world) broken, it will be secure. So not
only "to some extent" ;-)
 
> I did try the keylength site, and if I want my volume to be secure until
> roughly a decade after my projected demise, say 2100, then the adviced
> symmetric key size is already 135, 147 or 256 depending on the used
> method. So it'd still be somewhat better to increase the current 128 a bit.

There are no reliable forecasts for 2100. Even 30 years is highly
speculative. Brute-forcing 128 bits may not be possible even
in 2100, but AES may get broken. And, as I said, your passphrase
needs to be 128 bit as well (well, accounting for iteration, only
something like 110 bit, but that is still 22 random characters and 
letters). 
 
> > (you do have backup, right?).
> 
> Actually I am talking about my backup volume. And as such, it is quite a
> bit of data, that I don't have a (second) backup of. Neither do I have
> enough storage available to make an additional backup, nor the required
> amount of time, since a full copy/restore of such a volume would take weeks.

I see. My advice would be to get that second backup and just 
copy the primary backup over to it. 
 
> In fact, there seems to be a second use case for re-encrypting an
> existing volume. I read some articles explaining the possibility to use
> the luksDump command in conjunction with the --dump-master-key option on
> a mounted luks volume, to reset the password even if the current
> password is no longer known.
> Additionally, also the luksHeaderBackup command is available to extract
> the master key.

That does not help you to change the master key, and that is what 
you need to do if you want a longer one. A better passphrase 
can just be added (luksAddKey) and then the old one removed
(luksRemoveKey). But with this the master key and disk
encryption cipher stay the same.
 
> So there are at least two methods of extracting a master key. Now if I
> would suspect that a machine, that has a luks volume mounted, was
> compromised to the extent that someone had temporaryly gained root
> access, I would not only have to reset (all) passwords after fixing the
> security hole, but also I would have to create a new master key to be sure.

Yes. And new data, as the attacker had access to all of it.
Of course, that is usually not possible... 

> Is the cryptsetup-reencrypt tool also meant for that purpose?

In fact that would be its primary use. And the case does arise. 
Milan is a very careful developer/maintainer and would not have 
created a potentially unsafe tool like this otherwise.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell