[Pkg-cryptsetup-devel] key rollover page: cryptsetup

Jonas Meurer jonas at freesources.org
Fri May 16 19:10:26 UTC 2008


Hey,

On 16/05/2008 Moritz Muehlenhoff wrote:
> please ack if this information from the wiki is alright to be
> merged into the main key rollover web site:
> (http://www.debian.org/security/key-rollover/)

yes, please go ahead. in fact that paragraph about cryptsetup was
prepared by David Härdeman and me (the two only active cryptsetup
maintainers) and we purposed to forward it to you (the security team)
anyway. But you've been faster :-)

greetings,
 jonas

> cryptsetup
> ==========
> 
> Cryptsetup itself does not use openssl for encryption (this applies to
> both LUKS and dm-crypt devices).
> 
> *If* cryptsetup has been configured to use SSL-encrypted keyfiles (a
> non-default setup which must be explicitly configured by the user)
> and a broken version of openssl was used to generate the keyfile, the
> keyfile encryption may be weaker than expected (as the salt is not
> truly random).
> 
> The solution is either to re-encrypt the keyfile (if you are
> reasonably certain that the encrypted key has not been disclosed to to
> any third parties) or to wipe and reinstall the affected partition(s)
> using a new key.
> 
> Instructions for re-encrypting a keyfile:
> 
> Do the following for each SSL-encrypted keyfile, replacing
> <ssl_encrypted_key_path> with the path to the actual keyfile:
> 
> tmpkey=$(tempfile)
> openssl enc -aes-256-cbc -d -salt -in <ssl_encrypted_key_path> -out "$tmpkey"
> shred -uz <ssl_encrypted_key_path>
> openssl enc -aes-256-cbc -e -salt -in "$tmpkey" -out <ssl_encrypted_key_path>
> shred -uz "$tmpkey"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20080516/8c9dad78/attachment.pgp 


More information about the Pkg-cryptsetup-devel mailing list