home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] encrypted filesystems -- LUKS versus eCryptfs?

  • Subject: Re: [OCLUG-Tech] encrypted filesystems -- LUKS versus eCryptfs?
  • From: Alex Pilon <alp [ at ] alexpilon [ dot ] ca>
  • Date: Thu, 2 Jan 2014 11:34:26 -0500
> On Mon, Dec 23, 2013 at 4:18 PM, Alex Pilon <alp [ at ] alexpilon [ dot ] ca> wrote:
> > LUKS will randomly generate (and salt if I recall correctly) a
> > master secret, and provide ten “slots” for weaker secrets (e.g.,
> > passwords, passphrases, or binary data of your chosing), which it'll
> > run through PBKDF2.
On Thu, Jan 02, 2014 at 09:43:41AM -0500, Martin Hicks wrote:
> This is close, but there is no "weaker" secret.

I meant ‘likely weaker user-provided secret to unlock another secret’,
given that it's usually human-generated, not ‘entirely randomly’

> For each "slot" (of which I think there are 8)

Yes. The man page and FAQ says there are eight. Don't recall where I got

> that is activated, the "Master" key is encrypted using the
> passphrase/data that is provided when the slot is enabled/configured
> (when you create a new LUKS device, there is only a single slot
> activated).
> […] 
> So, with multiple slots enabled the Master Key is encrypted multiple
> times using different passphrases and PBKDF2.

Poor formulation. That's what I meant. I left that implicit.

> Later, when you're prompted for the passphrase to unlock the LUKS
> device, cryptsetup loops through each enabled slot using the provided
> passphrase and gets some Master Key as a result. It verifies (I can't
> remember how...looks for a header?)

There's a master key digest and salt in the LUKS header. Call
`cryptsetup luksDump` to see them. The number of PBKDF2 iterations is
also stored in the header and the salt for your passthrase are too.
Presumably the result of your PBKDF2 run can be hashed and checked
against the master key digest.