On Thu, Oct 27, 2016 at 01:17:42 CEST, Robert Nichols wrote:
> On 10/26/2016 11:43 AM, ClEmFoster wrote:
> >hello,
> >
> >The setup:
> >
> >I work in an environment that has a whole disk encryption requirement for
> >VMs. If the VM is restarted an admin has to hit the console and type in
> >the passphrase to boot. This is OK, we don't reboot much, and security
> >guys are happy. The problem is they are going to start requiring that
> >these machines also receive a passphrase change every 3 or 6 months. That
> >brings me to the question.
>
> Are "they" aware that anyone who has had read access to the device
> with the LUKS container has had an opportunity to copy the LUKS
> header, and can always use that LUKS header with the old passphrase
> to unlock the container (perhaps after spending however much time
> and processing power is needed to crack that passphrase offline).
>
> For that matter, anyone with root access to the VM while the LUKS
> container is unlocked can easily obtain the master key
> (dmsetup table --showkeys /dev/{whatever}) and can always access
> the LUKS container with that.
>
> Changing the passphrase doesn't protect against any of that.
This is probably just the usual "cargo-cult" security, i.e.
follow the ritual (a.k.a. "Process") without question,
because that would require understanding.
Regular passphrase changes on storage-encryption make
absolutely no sense and gives you absolutely no
protection benefit (unless you have told somebody
that should not know, in which case you need to change
them immediately).
I would try to give "them" a definition of the LUKS
passphrase that does not make it a "password" or
"login credential", and with a bit of luck you can
negate thereby prevent the usuall "password" process
and its requirements from applying.
One approach would be to make this a "technical secret"
or the like. After all, they probably to not require,
say, passphrases protecting certificates to be changed
regularly, because that would be relatively difficult.
Regards,
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
