1 |
On 06/06/2020 05:37, Dale wrote: |
2 |
> One other question, can one change the password every once in a while? |
3 |
> Or once set, you stuck with it from then on? |
4 |
|
5 |
A point I forgot to mention in my previous email is regarding passwords. |
6 |
While most encryption methods will allow for a password change (CryFS |
7 |
doesn't) be mindful that with methods used to encrypt large amounts of |
8 |
data the actual encryption key is generated once at volume creation time |
9 |
and is never changed. A password is only used to decrypt/derive the key |
10 |
itself. |
11 |
|
12 |
This is purely due to practical considerations. If you change the actual |
13 |
encryption key, then all encrypted data will have to be decrypted with |
14 |
the old key and re-encrypted with the new key. This may be a perfectly |
15 |
reasonable thing to do for file-based encryption or small amounts of |
16 |
data where a password change also means a key change, but is completely |
17 |
infeasible for larger scale volume encryption that may contain hundreds |
18 |
of GB of data. |
19 |
|
20 |
Thus, if a password has been compromised, it is not unreasonable to |
21 |
assume that anyone who knows the password and has had access to the |
22 |
encrypted volume might be able to get [or has already got] hold of the |
23 |
encryption key itself once the volume was opened. Hence, changing a |
24 |
leaked password doesn't make a compromised volume secure again. |
25 |
|
26 |
Of course, if it can be safely determined that a leaked password has not |
27 |
yet been used to access the volume, a swift preemptive change of the |
28 |
password will retain security. |
29 |
|
30 |
There is one exception to this where an adversary has a copy of the |
31 |
header (or similar) of the encryption volume. Here's a quick example |
32 |
with LUKS. A LUKS volume has a ~2MB header which stores all (hashed) |
33 |
passwords and the password-encrypted decryption key. The header can be |
34 |
read and stored separately. In fact, it's good practice for one to back |
35 |
up the header in case it ever gets corrupted (a corrupt header often |
36 |
means saying goodbye to your data w/o a backup). |
37 |
|
38 |
The problem here is that a leaked header immediately means a compromised |
39 |
volume. An adversary who gets hold of the header can now spend as much |
40 |
time as they would like to brute force a password (depending on password |
41 |
strength) and derive the encryption key. Or if they have an (older) copy |
42 |
of the header with a leaked password before it was changed they can get |
43 |
hold of the encryption key with virtually no effort at all by using said |
44 |
password. The only solution to a compromised header is full |
45 |
re-encryption. Even having a rolling password won't change that. |
46 |
|
47 |
Bottom line wrt passwords, one should not rely on or assume that having |
48 |
the facility to change a password will keep their data safe. If using a |
49 |
password, a strong password is a must. |
50 |
|
51 |
Again, it boils down to the usual trade-offs, likelihood of physical |
52 |
access, etc, etc. But I thought it an important point to note, as a |
53 |
surprisingly large number of people I have spoken to before seem to be |
54 |
unaware of this caveat (I'm not suggesting you are one of them). |
55 |
|
56 |
Regards, |
57 |
Victor |