FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 06-25-2012, 02:49 AM
Nick Boyce
 
Default Changing pass-phrase on dm-crypt'ed disks

I recently set up a Debian Squeeze system, using the installer's option to
encrypt the hard disk. It's working very well :-)

Good practice dictates that I should change the pass-phrase for this disk from
time to time, but my research ([1],[2]) suggests this is is not
straightforward because of the scheme used by the installer.

The installer uses 'dm-crypt' to encrypt the drive, rather than the full LUKS
system - and 'dm-crypt' generates the encryption key directly from the pass-
phrase, rather than storing the encryption key in an on-volume "header"
protected by the pass-phrase. Therefore, changing the pass-phrase requires
all data to be decrypted and re-encrypted - a slow and cumbersome process.

This must be done either in situ (which is dangerous) or using a second
filesystem (which is expensive on disk space).

Just to put my mind at rest (...), can anyone here confirm my understanding:
the passphrase on a Debian-6.0 installer-encrypted disk volume can't currently
be changed unless you unload all the data, re-create the volume with a new
pass-phrase, and reload the data ?


Refs:

[1] http://www.saout.de/misc/dm-crypt/
(FAQ section)

Q: What if I want to change my passphrase?
A: At the moment you'll need to reencrypt your device because the passphrase
is directly tied to the key .... If you want to reencrypt your filesystem
you'll have to recreate a new one and move your files.

[2] http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
(question 6.11)

Q: What does the on-disk structure of dm-crypt look like?
A: There is none. dm-crypt takes a block device and gives encrypted access to
each of its blocks with a key derived from the passphrase given ... If you
want to change the password, you basically have to create a second encrypted
device with the new passphrase and copy your data over


Thanks in advance,
Nick Boyce
--
Never FDISK after midnight


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201206250349.14318.nick@glimmer.adsl24.co.uk">http ://lists.debian.org/201206250349.14318.nick@glimmer.adsl24.co.uk
 
Old 06-25-2012, 08:16 AM
Claudius Hubig
 
Default Changing pass-phrase on dm-crypt'ed disks

Hello Nick,

Nick Boyce <nick@glimmer.adsl24.co.uk> wrote:
> The installer uses 'dm-crypt' to encrypt the drive, rather than the full LUKS
> system - and 'dm-crypt' generates the encryption key directly from the pass-
> phrase, rather than storing the encryption key in an on-volume "header"
> protected by the pass-phrase.

Are you sure about that? I’ve set up quite a few systems and it
always used LUKS. You can check with

# cryptsetup luksDump <device>

Best regards,

Claudius
--
Marry in haste and everyone starts counting the months.
http://chubig.net telnet nightfall.org 4242
 
Old 06-25-2012, 08:54 PM
Nick Boyce
 
Default Changing pass-phrase on dm-crypt'ed disks

On Monday 25 Jun 2012 09:16:23 Claudius Hubig wrote:

> Nick Boyce <nick@glimmer.adsl24.co.uk> wrote:
>
> > The installer uses 'dm-crypt' to encrypt the drive, rather than the full
> > LUKS system - and 'dm-crypt' generates the encryption key directly from
> > the pass- phrase, rather than storing the encryption key in an on-volume
> > "header" protected by the pass-phrase.
>
> Are you sure about that? I’ve set up quite a few systems and it
> always used LUKS.

No, I'm not sure - but I picked up that understanding from reading a lot of
forum threads about setting up new systems with encrypted disks.

I gained the distinct impression that current distribution installers use 'dm-
crypt' for simplicity, and that this is the same as 'cryptsetup' in "plain"
mode as opposed to 'LUKS' mode..

Now that I've been reading more in-depth history of Linux filesystem crypto
tools, I think the problem is that quite a lot of the documentation out there
is old, obsolete and misleading

Many pages report the home of dm-crypt as being :
http://www.saout.de/misc/dm-crypt/
but I now think that site is woefully out of date, and consequently somewhat
misleading. Among other things, it says this :
"Clemens Fruhwirth is maintaining an enhanced version
of cryptsetup with the LUKS extension that allows you to
have an on-disk block of metadata which is superior to
the current mechanism and was my long term plan
anyway but I didn't find the time to implement that yet"
and this :
"Because the way using dmsetup directly is too
complicated for most people I'm currently writing a
native cryptsetup program to behave like one of the
patched losetup's out there"

The Debian Installation Manual [3] says :
"debian-installer supports several encryption methods.
The default method is dm-crypt"

I think it all needs updating and clarifying ...

Anyway, I was concerned not to attempt to do a 'cryptsetup
luksDelKey/luksAddKey' if there isn't actually an on-disk LUKS header to be
manipulated (for fear of corrupting the start of a "plain-mode" encrypted
volume).

> You can check with
> # cryptsetup luksDump <device>

Hmm .. well thanks for that command (I'm a novice) ... which confirms what you
say - my single encrypted raw disk partition (containing the LVM mapped system
volumes) does indeed have a LUKS header, with 8 keyslots; slot 0 is marked
"ENABLED", while the other 7 are "DISABLED".

I think I'll proceed by doing a 'luksHeaderBackup', and then trying a pass-
phrase change. The subject will be 350Gb of data which has taken two months
to set up, so I'll be holding my breath :-/

Thanks a lot for the clues !

[3] http://www.debian.org/releases/stable/amd64/ch06s03.html.en#partman-crypto

Cheers
Nick
--
Never FDISK after midnight


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201206252154.23102.nick@glimmer.adsl24.co.uk">http ://lists.debian.org/201206252154.23102.nick@glimmer.adsl24.co.uk
 
Old 06-26-2012, 09:47 AM
Claudius Hubig
 
Default Changing pass-phrase on dm-crypt'ed disks

Hello Nick,

Nick Boyce <nick@glimmer.adsl24.co.uk> wrote:
> > You can check with
> > # cryptsetup luksDump <device>
>
> Hmm .. well thanks for that command (I'm a novice) ... which confirms what you
> say - my single encrypted raw disk partition (containing the LVM mapped system
> volumes) does indeed have a LUKS header, with 8 keyslots; slot 0 is marked
> "ENABLED", while the other 7 are "DISABLED".
>
> I think I'll proceed by doing a 'luksHeaderBackup', and then trying a pass-
> phrase change. The subject will be 350Gb of data which has taken two months
> to set up, so I'll be holding my breath :-/

If you do luksAddKey, you’ll have to enter one of the old
passphrases. After that, you can try unlocking the volume with the
new passphrase. If that succeeds, you can use luksKillSlot to remove
the first slot. For that, you’ll have to enter one of the remaining
passphrases (i. e. the one you just added).

I did this several times without problems, although I would suggest
unmounting the filesystem and closing the device.

Best regards,

Claudius
--
The life which is unexamined is not worth living.
-- Plato
http://chubig.net telnet nightfall.org 4242
 
Old 06-26-2012, 02:40 PM
Nick Boyce
 
Default Changing pass-phrase on dm-crypt'ed disks

On Tuesday 26 Jun 2012 10:47:50 Claudius Hubig wrote:

> If you do luksAddKey, you’ll have to enter one of the old
> passphrases. After that, you can try unlocking the volume with the
> new passphrase. If that succeeds, you can use luksKillSlot to remove
> the first slot.

luksDelKey or luksKillSlot ?
I don't yet understand the relationship between them, nor when it is necessary
to "kill a key slot".

> I did this several times without problems, although I would suggest
> unmounting the filesystem and closing the device.

Um ... I'd have to be in single-user mode then I guess ... assuming there's
even enough software in /boot (and/or the initramfs) to fiddle with unmounted
encrypted root filesystems.

Cheers
Nick
--
Never FDISK after midnight


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201206261540.06390.nick@glimmer.adsl24.co.uk">http ://lists.debian.org/201206261540.06390.nick@glimmer.adsl24.co.uk
 
Old 06-26-2012, 02:58 PM
Claudius Hubig
 
Default Changing pass-phrase on dm-crypt'ed disks

Hello Nick,

Nick Boyce <nick@glimmer.adsl24.co.uk> wrote:
> On Tuesday 26 Jun 2012 10:47:50 Claudius Hubig wrote:
>
> > If you do luksAddKey, you’ll have to enter one of the old
> > passphrases. After that, you can try unlocking the volume with the
> > new passphrase. If that succeeds, you can use luksKillSlot to remove
> > the first slot.
>
> luksDelKey or luksKillSlot ?
> I don't yet understand the relationship between them, nor when it is necessary
> to "kill a key slot".

Neither do I and the manpage doesn’t make that very clear either.

> Um ... I'd have to be in single-user mode then I guess ... assuming there's
> even enough software in /boot (and/or the initramfs) to fiddle with unmounted
> encrypted root filesystems.

Then first add the new key, reboot, check if the new key works, and
then delete the old one. That should work. I don’t think the
cryptsetup contained in the initramfs can do all that.

Best regards,

Claudius
--
"I say we take off; nuke the site from orbit. It's the only way to be sure."
-- Corporal Hicks, in "Aliens"
http://chubig.net telnet nightfall.org 4242
 
Old 06-26-2012, 07:48 PM
Celejar
 
Default Changing pass-phrase on dm-crypt'ed disks

On Mon, 25 Jun 2012 21:54:22 +0100
Nick Boyce <nick@glimmer.adsl24.co.uk> wrote:

> On Monday 25 Jun 2012 09:16:23 Claudius Hubig wrote:
>
> > Nick Boyce <nick@glimmer.adsl24.co.uk> wrote:
> >
> > > The installer uses 'dm-crypt' to encrypt the drive, rather than the full
> > > LUKS system - and 'dm-crypt' generates the encryption key directly from
> > > the pass- phrase, rather than storing the encryption key in an on-volume
> > > "header" protected by the pass-phrase.
> >
> > Are you sure about that? I’ve set up quite a few systems and it
> > always used LUKS.
>
> No, I'm not sure - but I picked up that understanding from reading a lot of
> forum threads about setting up new systems with encrypted disks.
>
> I gained the distinct impression that current distribution installers use 'dm-
> crypt' for simplicity, and that this is the same as 'cryptsetup' in "plain"
> mode as opposed to 'LUKS' mode..

I've done several installs with encryption, and I've always gotten LUKS.

> Now that I've been reading more in-depth history of Linux filesystem crypto
> tools, I think the problem is that quite a lot of the documentation out there
> is old, obsolete and misleading

That's for sure.

Celejar


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120626154828.d7e8e36f.celejar@gmail.com">http://lists.debian.org/20120626154828.d7e8e36f.celejar@gmail.com
 

Thread Tools




All times are GMT. The time now is 04:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org