From: Ondrej Kozina <okozina@redhat.com>
To: Dm-crypt <dm-crypt@saout.de>
Cc: "JT Morée" <moreejt@yahoo.com>
Subject: Re: [dm-crypt] unbound keys
Date: Tue, 31 Mar 2020 10:49:41 +0200 [thread overview]
Message-ID: <8e692b82-04cc-693c-08e7-cb6524916c23@redhat.com> (raw)
In-Reply-To: <5602805.1319309.1585599459612@mail.yahoo.com>
Hi,
On 3/30/20 10:17 PM, JT Morée wrote:
> After reading the luks2 FAQ, spec and archives I don't understand what an unbound key is used for.
That's our never ending struggle to improve documentation and blog posts
coverage. Hope things get calmer after 2.4.0 release so that we can
focus on this effort.
>
> Assuming the unbound key is created from encrypting the given file with the other file specified by --master-key-file: how would I use it? Can it be extracted so that I can decrypt it later? Do I need to write C code to extract the data as-is it or will cryptsetup already do it? If not and I'm going to write C then should it be integrated as a new command in cryptsetup?
The principle of unbound keys is quite simple. In general 'unbound key'
or 'unbound luks2 keyslot' contains secret stored in LUKS2 keyslot _not_
currently bound to (associated with) any data segment (crypt segment) in
LUKS2 'Segments' section.
So it's independent 'key' stored in luks2 keyslot and it cannot be used
to unlock LUKS2 data device (yet).
What we use it for currently:
1) LUKS2 reencryption. Future/new volume key in stored in unbound
keyslot and it became regular LUKS2 keyslot later when it's used to
actually decrypt/encrypt some crypt segment.
2) Somehow similar use case as 1) is used with wrapped key scheme (used
with e.g. paes cipher). The VK stored in keyslot is in fact binary blob
(encrypted again). The KEK for that binary blob may be refreshed (KEK in
this case is not managed by cryptsetup!) and binary blob gets changed.
For the KEK refresh process 'unbound keyslot' is used. First you store
future effective VK in unbound keyslot and later it gets enforced to
become new real VK (bound to current dm-crypt segment).
>
> Since the unbound feature does the encryption: is it compatible with a smart card (PGP/GPG)?
>
> sudo cryptsetup luksAddKey --unbound --master-key-file ../lukstest/publickey.pem /dev/sdb --key-size 512 ../lukstest/privatekey
No, that's not how unbound keys work. With this command in particular
you'd add new unbound keyslot where content would be first 64 bytes of
publickey.pem file. Passphrase for that unbound keyslot would be
privatekey file content.
But interesting idea and perhaps it could be done later with new tokens
loadable plugins (2.4.0 release).
Regards
O.
next prev parent reply other threads:[~2020-03-31 8:56 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <5602805.1319309.1585599459612.ref@mail.yahoo.com>
2020-03-30 20:17 ` [dm-crypt] unbound keys JT Morée
2020-03-31 8:49 ` Ondrej Kozina [this message]
2020-03-31 9:21 ` Arno Wagner
2020-04-02 11:28 ` Ondrej Kozina
2020-04-02 17:58 ` Arno Wagner
2020-03-31 10:03 ` Ondrej Kozina
2020-03-31 15:05 ` JT Morée
2020-04-02 11:37 ` Ondrej Kozina
2020-04-03 20:53 ` JT Morée
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8e692b82-04cc-693c-08e7-cb6524916c23@redhat.com \
--to=okozina@redhat.com \
--cc=dm-crypt@saout.de \
--cc=moreejt@yahoo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox