During a forensic analysis of a machine that uses dm-crypt with LUKS is it possible to detect if a two-factor authentication setup is present? I.e. two keyslots - one passphrase, one keyfile.
Last edited by Divinorum (2015-05-04 15:02:31)
What exactly do you mean by ‘two-factor authentication’? To me, a two-factor
authentication involves two different steps in the process of authentication
of a user. For example the user might be asked to provide both a password and
a code which is obtained via mobile application (or text message, special
hardware…). For LUKS it is sufficient to provide one password even if the
container has two or more keyslots – that is why I would not call the presence
of several keyslots ‘two-factor authentication’.
If you just want to know if there is more than one keyslot
cryptsetup luksDump <device>
is the magic.
Secondly, it does not matter how you input the secret – a 1024 byte long input
via keyboard is just as valid as a file containing the same data. (The
statement might be wrong, but that is how I understand cryptsetup’s man page
and other resources.)
To be more specific I was referring to whether or not an attacker would be able to detect if a keyfile is used.
Last edited by Divinorum (2015-05-04 15:02:16)
[…] I wanted to see if there was a way that LUKS may reveal if a keyfile or
passphrase is used. […]
You should consider posting this question to LUKS’/dm-crypt’s mailing list – I
assume there are more people who are able to answer that question.
Couldn't you just say you've forgotten the passphrase ?
[...]but I wanted to see if there was a way that LUKS may reveal if a keyfile or passphrase is used.
as far as LUKS is concerned,a keyfile is just a passphrase in a file.When you give any tool that manage LUKS based volume a keyfile,that tool may read the content of the keyfile and them pass them on as a passphrase and things will work.
truecrypt on the other hand treats keyfile and passphrases differently.If you create a truecrypt volume with a passphrase,you will have to open the volume with the passphrase,put the passphrase in a keyfile and then try to open the volume with the keyfile and the volume will not open.