LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-22-2020, 05:12 PM   #16
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: A few
Posts: 4,108

Rep: Reputation: 1150Reputation: 1150Reputation: 1150Reputation: 1150Reputation: 1150Reputation: 1150Reputation: 1150Reputation: 1150Reputation: 1150

Quote:
Originally Posted by slac-in-the-box View Post
Question: Is the key contained in the header? If an attacker had this header's backup, would they be able to retrieve a key from it, with this chk_luks_keyslots program? If so, that explains why you have to custom compile it in. I never tape my passwords under my desk drawer--they're all in my head--but a file that could unlock everything, I must now protect too.
chk_luks_keyslots doesn't recover the key, it only checks how random the keyslots look.

However the backup should be jealously guarded, if possible offline, since it makes an attacker's life easier. I currently don't remember the full story.
 
1 members found this post helpful.
Old 01-22-2020, 10:42 PM   #17
z0gnadal
LQ Newbie
 
Registered: Jan 2020
Posts: 8

Original Poster
Rep: Reputation: Disabled
I downloaded entire source and saw this error. I went to /cryptsetup-master/lib/ and saw a file libcryptsetup.h so I copied all files from cryptsetup-master/lib/ to cryptsetup-master/misc/keyslot_checker/ but I still get this error
 
Old 01-22-2020, 10:51 PM   #18
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,360

Rep: Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001
Header file libcryptsetup.h would be in a cryptsetup-luks-devel package, which provides the header files needed to compile programs as opposed to just running them.
 
1 members found this post helpful.
Old 01-22-2020, 10:59 PM   #19
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,360

Rep: Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001
Quote:
Originally Posted by berndbausch View Post
However the backup should be jealously guarded, if possible offline, since it makes an attacker's life easier. I currently don't remember the full story.
The big issue with header backups is that even if you change the passphrase, someone in posession of that old header can still use it with the old passphrase to unlock the container.
 
1 members found this post helpful.
Old 01-23-2020, 12:31 PM   #20
z0gnadal
LQ Newbie
 
Registered: Jan 2020
Posts: 8

Original Poster
Rep: Reputation: Disabled
For some reason it doesn't show entropy
Code:
$ sudo ./chk_luks_keyslots -v /dev/sda6

parameters (commandline and LUKS header):
  sector size: 512
  threshold:   0.900000

- processing keyslot 0:  start: 0x001000   end: 0x03f800 
- processing keyslot 1:  keyslot not in use
- processing keyslot 2:  keyslot not in use
- processing keyslot 3:  keyslot not in use
- processing keyslot 4:  keyslot not in use
- processing keyslot 5:  keyslot not in use
- processing keyslot 6:  keyslot not in use
- processing keyslot 7:  keyslot not in use
It means it's corrupted ?
 
Old 01-24-2020, 08:54 AM   #21
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,360

Rep: Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001
That means the one in-use keyslot appears suitably random. All the program can detect is an overwrite with non-random data.
 
1 members found this post helpful.
Old 01-24-2020, 12:04 PM   #22
z0gnadal
LQ Newbie
 
Registered: Jan 2020
Posts: 8

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by rknichols View Post
That means the one in-use keyslot appears suitably random. All the program can detect is an overwrite with non-random data.
This mean that keyslot isn't corrupted and I just need to type correct password to unlock disk ?
 
Old 01-24-2020, 12:31 PM   #23
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,360

Rep: Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001Reputation: 2001
It just means the keyslot has no obvious corruption.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How to Lock and Unlock User in Linux How to Lock and Unlock User in Linux LXer Syndicated Linux News 0 11-10-2019 07:21 PM
LXer: Wildfire ransomware code cracked: Victims can now unlock encrypted files for free LXer Syndicated Linux News 0 08-24-2016 11:51 PM
Can mkinitrd unlock an encrypted device identified by uuid? michaelslack Slackware 3 03-28-2015 07:01 AM
Slackware 14.1: LUKS encrypted volumes + mkinitrd => missing dmsetup and can't unlock furryspider Slackware 4 11-16-2013 10:58 AM
LXer: Automatically Unlock LUKS Encrypted Drives With A Keyfile LXer Syndicated Linux News 0 07-09-2008 04:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration