Hi JT, thanks, that is definitely helpful. Streamlined a bit and added as Item 10.9 Regards, Arno On Mon, Apr 27, 2020 at 16:37:22 CEST, JT Morée wrote: > New additions to FAQ are great. Thank you Arno. > > These are the questions I asked on this list within the last few months that I have answers for (thank you all). My other questions are not yet researched/answered. Most of them I sent in a previous email. will send again as finished or on request. Feel free to add if it seems useful. I don't need attribution as you guys did all the work. > ------------------------------------------- > > Q: what is an unbound keyslot? > > A: Quite simply, an 'unbound key' is an independent 'key' stored in a luks2 keyslot that cannot be used to unlock LUKS2 data device. > > More specifically, an 'unbound key' or 'unbound luks2 keyslot' contains a secret stored in LUKS2 keyslot that is not currently associated with any data segment (crypt segment) in > LUKS2 'Segments' section. > > Q: What is an unbound keyslot used for? > > A: What dm-crypt uses it for as of April 2020: > > 1) LUKS2 reencryption. Future/new volume key is stored in an unbound > keyslot and it becomes a regular LUKS2 keyslot later when it is used to > actually decrypt/encrypt some crypt segment. > > 2) Similar use case as 1) is used with wrapped key scheme (used > with e.g. paes cipher). The VK stored in keyslot is in fact binary blob > (encrypted again). The KEK for that binary blob may be refreshed (KEK in > this case is not managed by cryptsetup!) and binary blob gets changed. > For the KEK refresh process 'unbound keyslot' is used. First you store > future effective VK in unbound keyslot and later it gets enforced to > become new real VK (bound to current dm-crypt segment). > > > JT > > > > > > > On Sunday, April 26, 2020, 9:35:08 AM MST, Arno Wagner <arno@xxxxxxxxxxx> wrote: > > > > > > Hi all, > > I just finished the firsy pass through the FAQ to adapt it for LUKS2. > In particular I did the following: > > - Clearly state LUKS1 or LUKS2 for things that do not apply to both > - Still uses "LUKS" when both LUKS1 or LUKS2 are affected > - Added references for LUKS2 header spec > - Added specific instructions for LUKS2 where needed > - Added a (currently pretty short) LUKS2 section > > If some of you find the time to read through it and let me know > about any errors or omissions, I would apprecitate it. > > Also, if you have any suggestions for Section 10 (LUKS2 Questions), > or mabybe even a small item to add, I would appreciate that as > well. In particular, the LUKS2 section would benefit from some > mini-HOWTOs, I think. > > As usual, the FAQ is found at > https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions > > I did update the version in the sources as well, but that may take a while > to propagate. > > Regards, > Arno > > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 > ---- > A good decision is based on knowledge and not on numbers. -- Plato > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > https://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
