1 |
On Sat, Jun 6, 2020 at 3:38 PM Victor Ivanov <vic.m.ivanov@×××××.com> wrote: |
2 |
> |
3 |
> On 06/06/2020 19:51, Rich Freeman wrote: |
4 |
> > Sure, if the attacker has a copy of the header they can spend as much |
5 |
> > time as they wish brute-forcing it. However, the same is true if they |
6 |
> > have the entire disk, and that is precisely the scenario we're trying |
7 |
> > to guard against. |
8 |
> |
9 |
> Not true. A key file stored outside the header is arguably way more |
10 |
> secure than a password - there's no longer a single point of failure. |
11 |
> Then there is also the option of having a detached LUKS header that is |
12 |
> never written to the block device in the first place which effectively |
13 |
> leaves the adversary with a stolen brick. |
14 |
|
15 |
Maybe we're miscommunicating, but it seems like you're moving the |
16 |
goalposts here. My point remains: |
17 |
|
18 |
The header is as secure as the disk. If the disk is secure against |
19 |
brute-force, then so is the header. |
20 |
|
21 |
Your original point was, "The problem here is that a leaked header |
22 |
immediately means a compromised volume." |
23 |
|
24 |
This makes no sense. The whole reason you're using encryption is to |
25 |
protect the data if your disk is stolen/etc. If they steal the disk |
26 |
they get the header too. So, if a leaked header means that your |
27 |
volume is compromised, then a stolen disk does so as well, which means |
28 |
your encryption is worthless. |
29 |
|
30 |
Now, obviously if you don't store the key in the header or store the |
31 |
header on the disk, that is more secure. However, if the key isn't in |
32 |
the header then a leaked header does not give an attacker any |
33 |
opportunity to brute-force it, because there is nothing to brute |
34 |
force. |
35 |
|
36 |
There are many things that can be done to make the disk more secure, |
37 |
like not using a memorable password or not storing the key on the |
38 |
disk. Obviously these sorts of solutions create additional problems |
39 |
with key management, and if you solve them incorrectly then you might |
40 |
actually reduce security. |
41 |
|
42 |
> I was merely emphasising the fact that |
43 |
> when using a password, having the facility to change the password can |
44 |
> give a false sense of security |
45 |
|
46 |
Sure, there is really no point in "rotating passwords" with LUKS. If |
47 |
somebody gets a copy of your disk then they effectively have a |
48 |
snapshot of your password. If you later change it the data they still |
49 |
have a copy of what it used to be. |
50 |
|
51 |
And if they do have the ability to periodically snapshot your header |
52 |
and you keep changing your password, then they can bruteforce all your |
53 |
passwords in parallel and if they obtain any of them they can decrypt |
54 |
the drive, unless you change the session key and re-encrypt the drive. |
55 |
|
56 |
With any of these things you have to understand your threat model. |
57 |
For example, on my distributed filesystem I'm moving to encrypted |
58 |
drives to protect me in case I have to dispose of a drive without the |
59 |
opportunity to wipe it first. To do this I'm just going to store my |
60 |
keys on the root filesystem so that the systems can be booted without |
61 |
interaction. Obviously if somebody compromises the files with the |
62 |
keys they can decrypt my drives, but this means that I just have to |
63 |
protect a couple of SD cards which contain my root filesystems, |
64 |
instead of worrying about each individual hard drive. The drives |
65 |
themselves end up being much more secure, because the password used to |
66 |
protect each drive is random and long - brute-forcing the password |
67 |
will be no easier than brute-forcing AES itself. This doesn't protect |
68 |
me at all if somebody breaks into my house and steals everything. |
69 |
|
70 |
-- |
71 |
Rich |