New additions to FAQ are great. Thank you Arno. These are the questions I asked on this list within the last few months that I have answers for (thank you all). My other questions are not yet researched/answered. Most of them I sent in a previous email. will send again as finished or on request. Feel free to add if it seems useful. I don't need attribution as you guys did all the work. ------------------------------------------- Q: what is an unbound keyslot? A: Quite simply, an 'unbound key' is an independent 'key' stored in a luks2 keyslot that cannot be used to unlock LUKS2 data device. More specifically, an 'unbound key' or 'unbound luks2 keyslot' contains a secret stored in LUKS2 keyslot that is not currently associated with any data segment (crypt segment) in LUKS2 'Segments' section. Q: What is an unbound keyslot used for? A: What dm-crypt uses it for as of April 2020: 1) LUKS2 reencryption. Future/new volume key is stored in an unbound keyslot and it becomes a regular LUKS2 keyslot later when it is used to actually decrypt/encrypt some crypt segment. 2) Similar use case as 1) is used with wrapped key scheme (used with e.g. paes cipher). The VK stored in keyslot is in fact binary blob (encrypted again). The KEK for that binary blob may be refreshed (KEK in this case is not managed by cryptsetup!) and binary blob gets changed. For the KEK refresh process 'unbound keyslot' is used. First you store future effective VK in unbound keyslot and later it gets enforced to become new real VK (bound to current dm-crypt segment). JT On Sunday, April 26, 2020, 9:35:08 AM MST, Arno Wagner <arno@xxxxxxxxxxx> wrote: Hi all, I just finished the firsy pass through the FAQ to adapt it for LUKS2. In particular I did the following: - Clearly state LUKS1 or LUKS2 for things that do not apply to both - Still uses "LUKS" when both LUKS1 or LUKS2 are affected - Added references for LUKS2 header spec - Added specific instructions for LUKS2 where needed - Added a (currently pretty short) LUKS2 section If some of you find the time to read through it and let me know about any errors or omissions, I would apprecitate it. Also, if you have any suggestions for Section 10 (LUKS2 Questions), or mabybe even a small item to add, I would appreciate that as well. In particular, the LUKS2 section would benefit from some mini-HOWTOs, I think. As usual, the FAQ is found at https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions I did update the version in the sources as well, but that may take a while to propagate. Regards, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt