On 04/25/2017 08:44 AM, Dominic Raferd wrote:
On 25 April 2017 at 14:14, Robert Nichols <rnicholsNOSPAM@xxxxxxxxxxx <mailto:rnicholsNOSPAM@xxxxxxxxxxx>> wrote:
On 04/24/2017 06:49 PM, protagonist wrote:
However, I assume it is likely that a determined attacker running as
root might be able to extract the master key from RAM if the encrypted
volume in question is still open at the time of attack, so technically,
there would be a way to do this without the password.
It's trivial. Just run "dmsetup table --showkeys" on the device.
Wowzer. 'cryptsetup luksDump <device> --dump-master-key' can also provide this info but it requires a passphrase, which 'dmsetup table --showkeys' does not. So must we assume that anyone who has ever had root access while the encrypted device is mounted can thereafter break through the encryption regardless of passphrases? At least until cryptsetup-reencrypt is run on the device, which is a big step.
It's in the FAQ, section 6.10, so not really a great revelation.
BTW, it's "--showkey", not "--showkeys". Minor typo there, sorry.
Also, anyone who has had access to the device has had the ability to save a copy of the LUKS header, so the ability to revoke passphrases really isn't as great as it cracked up to be.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
