You are not logged in.
Pages: 1
Hi all,
I have a dm-crypt/luks volume set up for my main disk, and I have it set up so I can access it either with a keyfile or a passphrase. If I understand luks key slots correctly, that means I'm using 2 of the 8 available key slots.
When I run luksDump on the volume, it shows many more of the key slots as enabled. What does that mean? I never created additional passphrases. Can I delete those? And is it safe to post the output of that luksDump command?
Thanks in advance,
Lefty
Offline
Well, it means there are more than two keys or keyfiles enabled. If you are certain that you did not enable them yourself you might want to consider that the security of your data may be compromised. (Note that no one can add another key or keyfile without supplying one of the existing keys/keyfiles - even if the device is currently unlocked. This means she can also open the device and access or modify your data at any time when the device is not mounted.)
You assume correctly, if you have one key and one keyfile, they occupy one key slot each.
However: Note that you can add the same key or keyfile multiple times. Every time you do it will be written into another key slot. Further, from the output of luksDump, you cannot tell if two slots contain the same key or not (That would be a security risk and would make the encryption vulnerable.)
I assume that you created the device with one key (or keyfile) and added the other one by executing luksAddKey. If you by accident executed this multiple times, it would have occupied more key slots with each execution.
Can you delete the other keys? Yes, of course. (But make sure that you don't delete your own keys. Otherwise, the potential mysterious attacker that has added the other keys would still be able to access your device while you would not. You don't want that.)
Therefore, before deleting any keys you would want to know which ones are yours. You can accomplish that by doing a luksOpen with the -v (verbose) option. The command will respond with
Key slot X unlocked.
Command successful.after you supplied a correct passphrase or keyfile, where X is the number of the corresponding key slot. Luks will try all key slots with the supplied passphrase in ascending order (starting with slot 0) which means if multimple key slots encode the same passphrase luksOpen will always unlock the first one. (However, if you want to check if several key slots encode the same passphrase you can always use the -S option in the luksOpen command. It allows you to state which key slot you would like to unlock with this passphrase. This might be important in order to find out if you simply have your two legitimate keys in several key slots or if an attacker has sliped you additional illegitimate keys.)
Is it safe to post the output of luksDump? Probably. Any attacker who might be able to access your device will also be able to execute luksDump. However, there is no need for this.
In case you are uncertain about something else regarding LUKS, you can always create a small LUKS container and play around with it. Like so: https://wiki.archlinux.org/index.php/Dm … oop_device
We are exactly the people our parents always warned us about.
Offline
Thanks so much for that thorough response! I got impatient and went ahead and killed the unknown keyslots before I saw your reply, so I don't know if they were just duplicates of my same key or what, but I'm not too concerned. There's now only one active slot and it definitely works with my key, so I'm happy.
And thanks for the tip about playing around with a small luks container, that looks like a much safer way to learn stuff than monkeying around with the container that's got my whole system on it :-P
Offline
Pages: 1