On 12/02/2009 02:51 PM, julie_nuckey@xxxxxxxxxxxxxxxx wrote: > I really want to know if it possible for the password/key to be exposed in the process > of transferring it from user mode to kernel mode, or if it could remain in memory as > a result, that's why I'm asking about the mechanics of what happens between cryptsetup > (user mode) and dm-crypt (kernel mode). - passphrase (or password) is processed only in userspace, never sent in open form to kernel - all communication (configuration) of dm-crypt device (the mapped keyslot is temporary dmcrypt device also) is through dm-ioctl calls - you must provide key (part of mapping table) in this call in text format (see "dmsetup table --showkeys) for dm-crypt to configure requested crypto mapping that key is basically (simplified) 1) hashed passphrase in plain mode or 2) LUKS PKBKDF2 derived key for mapping keyslot area (for temporary keyslot device) or 3) master key for real LUKS device mapping (read and un-obfuscated from keyslot area) Just to add: - only root can use dm-ioctl and only root can use cryptsetup for these operations - cryptsetup locks its memory to prevent swapping sensitive data - all sensitive data are erased before returning memory (both in kernel and userspace) > In "plain" mode the password must be passed to the kernel, Not exactly. It is hashed passphrase sent to kernel dm-crypt. > but in LUKS mode, the > password is used to decrypt the master key which is in the kernel. If cryptsetup is > user mode only, what exactly does the kernel mode decryption of the master key? Can't > be dm-crypt as this doesn't know anything about LUKS. cryptsetup (userspace) creates temporary dm-crypt mapping over keyslot area with derived key generated from passphrase (see above), then read this new dm-crypt device to get data (and applies AF over it to get master key candidate) Please read the LUKS documentation and source for exact description (and archive of this list) http://code.google.com/p/cryptsetup/wiki/Specification Milan -- mbroz@xxxxxxxxxx _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
