Hi, On Tue, Nov 15, 2011 at 11:37:50AM +0530, saurabhasamanta@xxxxxxxxx wrote: > I am new to disk based encryption techniques . I have encrypted the disk > using cryptsetup. I used dmsetup tool where I am able to see the table > with the keys and encryption details. Following steps were followed > > 1. Encrypting of the disk (pendrive) using "cryptsetup" > 2. Creating the file system using "mkfs" > 3. Mounting of disk > 4. Unmounted the disk. > 5. Reinserted the disk > 6. Used "dmsetup table --showkeys" to get the table. > 7. Used the table values and dmsetup tool to mount the disk. > > Question I would like to ask: > 1. Is this a loophole or vulnerability that key is accessible? No. If you are root on a Linux system, you can read the whole memory anyways, and the key is somewhere in the memory image. Also if the container is mapped, root can access anything in it anyways. > 2. What are the security implications if I have the key using dmsetup? None. Unless you store it somewhere. For a discussion of LUKS header backups and storing the master key, see the cryptsetup FAQ. > 3. How secure is my disk ? Answering that question requires a full risk analysis. > 4. Is there any solution to hide the key from getting exposed? Protect your root account. It seems, however, what you did forget in your test was to unmap the encrypted container. Until you do, the key is in memory. Unmounting does not remove that mapping. Use "cryptsetup remove <device mapped to>" for plain and "cryptsetup luksClose <device mapped to>" for LUKS containers to remove the mapping, which also removes the key from memory. Arno > Thank you. > > > > > Confidentiality Notice > > The information contained in this electronic message and any > attachments to this message are intended for the exclusive use of > the addressee(s) and may contain confidential or privileged > information. If you are not the intended recipient, please notify > the sender at Bharat Electronics or support@xxxxxxxxx immediately > and destroy all copies of this message and any attachments. > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
