[Pkg-cryptsetup-devel] Re: Bug#371135: encrypted swap with
variable key fails
Jonas Meurer
jonas at freesources.org
Fri Jun 23 14:05:10 UTC 2006
On 21/06/2006 Michael Gebetsroither wrote:
> >first, LUKS devices with random key are possible, you just need to store
> >the random key after luksFormat, to reuse it for luksOpen. afterwards
> >you can shred/wipe the key.
>
> What about letting the user initialise the swap partition with
> luksformat and insert the partition AND the uuid of the just created
> luks partition into /etc/cryptdisks (could also be done with a little
> wrapper script)
> we add a command to regenerate the master key to cryptsetup binary,
> without updating the uuid and we could safely run mkswap on the
> encrypted device.
in my eyes, this is the same as running luksFormat every time. if you
regenerate the master key, the data encrypted with the old master key
will be lost. so i don't see the extra protection here, except from
requireing to give the UUID to /etc/crypttab.
> And there is NO chance to kill the wrong device with mkswap.
> And all this without any additional checks.
but it would be extra work for the admin, as setting up encrypted swap
would differ from setting up normal encrypted data.
> It could also be done without regenerating the masterkey and only
> adding a userkey and deleting the old.
> BUT the swap is still encrypted with the _same_ key (as the user keys
> only decrypts the masterkey).
> Imho without regernerating the masterkey this is a nogo.
how do you regenerate a masterkey and reuse it for the data that is
encrypted with the old one? it would need to be exactly the same one.
i'm not sure that i understand.
...
jonas
More information about the Pkg-cryptsetup-devel
mailing list