Am Montag, den 04.09.2006, 13:22 +0200 schrieb Rick van Rein: > I was shocked to learn that the encryption keys for dm-crypt volumes are > visible to root: > > # dmsetup table swap > 0 1975932 crypt aes-cbc-plain 3132333435363738313233343536373831323334353637383132333435363738 0 3:6 0 > > The 3132... reveals what I put in the keyfile that I setup for this test. > > Showing this kind of information is a Bad Idea. It means, for example, > that an encrypted swap can be read after system down by anyone who happened > to record this bit of information. > > It also means that encrypted file systems, which have to rely on symmetric > encryption with long-lived keys, are a lot more open to attacks than > strictly necessary. > > It has always been good design practice to hide keys like these from > users, even root, because the forward-direction of supplying the same > key at later sessions is always possible. The convenience of listing > the table in a copy/paste mode is far too convenient for attackers. Of course, it is a good idea, but it still fails for the following reasons: - root can do anything, even look in kernel memory for the key where you can't hide it at all. The only exception would be some specially secured versions of Linux where root doesn't have that capability. (BTW: I didn't even need special hacker tools to do this, simple shell tools were enough) - It would break the userspace contract that tools can read the table, modify it and write it back. I had a better solution in mind last year. The idea was to use the new Linux keyring API and store the actual key there. The device-mapper would then only get a key to that handle. Unfortunately there were some severe in-kernel locking problems with the API that prevented me to proceed, and nobody seemed interested in solving that problem, so I gave up.
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
