Re: LUKS - lost token?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Oct 29, 2023, at 16:22, Samuel Sieb <samuel@xxxxxxxx> wrote:
> 
> On 10/29/23 12:47, Roberto Ragusa wrote:
>>> On 10/29/23 20:16, Jonathan Billings wrote:
>>> On Oct 29, 2023, at 11:00, Roberto Ragusa <mail@xxxxxxxxxxxxxxxx> wrote:
>>>> 
>>>> On 10/29/23 04:13, Robert Nichols wrote:
>>>>>> On 10/28/23 21:20, Robert Nichols wrote:
>>>>>> Yes, as long as the device is currently unlocked
>>>>> Oops. I just realized that recovering the master key from the kernel works only for LUKS1. Your device is using LUKS2, and and accessing the key from userspace is not possible with LUKS2. Sorry.
>>>> 
>>>> Really? I was not aware of that.
>>>> So keeping my systems far away from LUKS2 has been a good idea.
>>> 
>>> This is actually a good thing. Being able to extract a key was a security hole.
>> As far as I can see in this thread, it consists in hostility against
>> the owner of the machine, which is risking something similar to
>> a ransomware event.Data availability is one of the aspects of security, so this feature
>> is indeed a security issue.
> 
> That doesn't make any sense.  Do you consider it hostility that the owner can't extract his user password or the root password from the system?

Sometimes information security is gained in exchange for a loss of ease of use. We could all have no password at all on our systems, let anyone in, but that would have disastrous results. Likewise, we could keep the password on a scrap of paper under the keyboard, until someone steals it. 

The point I’m making is that the decryption passphrase should not be accessible to any root level process, be it a user with sudo or a compromised service. 

This is why you should create a backup passphrase in a different keyslot and store it someplace secure, just in case. 

-- 
Jonathan Billings
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux