On Sat, Oct 28, 2017 at 03:32:50 CEST, Robert Nichols wrote: [...] > But, removal of that temporary key is not as secure as you might think. > Anyone (or any bot) that had an opportunity to make a copy of the LUKS > header while that key was installed can always use that header, together > with that "temporary" key, to unlock the container. "LUKS with detached > header" would be the most straightforward way, but the master key could > also be constructed from that header + key and used directly with > cryptsetup to access the container's contents. As always, the fact of thematter is that an attacker that has access to the decrypted container can get everything, including all data in there. But said attacker could also replace the cryptsetup binary, the kernel, etc. so it is somthing to be aware of, not something to fix. Regards, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
