home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] encrypted filesystems -- LUKS versus eCryptfs?

  • Subject: Re: [OCLUG-Tech] encrypted filesystems -- LUKS versus eCryptfs?
  • From: Martin Hicks <mort [ at ] bork [ dot ] org>
  • Date: Thu, 2 Jan 2014 09:43:41 -0500
On Mon, Dec 23, 2013 at 4:18 PM, Alex Pilon <alp [ at ] alexpilon [ dot ] ca> wrote:
> On Mon, Dec 23, 2013 at 03:47:05PM -0500, Robert P. J. Day wrote:
>
> LUKS does block device symmetric encryption. It's in a way a wrapper
> around dm-crypt. Plain dm-crypt requires you to specify all the
> parameters manually, whereas LUKS creates a header at the beginning of
> the block device. dm-crypt requires you to understand the crypto, and
> won't do things like salting your secret. LUKS will randomly generate
> (and salt if I recall correctly) a master secret, and provide ten
> “slots” for weaker secrets (e.g., passwords, passphrases, or binary data
> of your chosing), which it'll run through PBKDF2.

This is close, but there is no "weaker" secret.  For each "slot" (of
which I think there are 8) that is activated, the "Master" key is
encrypted using the passphrase/data that is provided when the slot is
enabled/configured (when you create a new LUKS device, there is only a
single slot activated).  In the default configuration, the Master Key
is an AES encryption key.

Later, when you're prompted for the passphrase to unlock the LUKS
device, cryptsetup loops through each enabled slot using the provided
passphrase and gets some Master Key as a result.  It verifies (I can't
remember how...looks for a header?) if this Master Key makes sense
i.e., it successfully decrypts some data in a way that yields correct
plaintext.

So, with multiple slots enabled the Master Key is encrypted multiple
times using different passphrases and PBKDF2.

mh

-- 
Martin Hicks P.Eng.      |         mort [ at ] bork [ dot ] org
Bork Consulting Inc.     |   +1 (613) 266-2296