You are not logged in.

#1 2024-04-24 21:07:47

steventrouble
Member
Registered: 2010-03-18
Posts: 5

What is the point of LUKS if the keys are plaintext?

When I set up a LUKS encrypted partition using the guided installer, by default it installed the keyfiles to /etc/cryptsetup-keys.d/ainstnvme0n1p1.key unencrypted. All the guides online set it up this way, but it seems fundamentally insecure. Is there any benefit to LUKS encryption if the keys are stored on device? What is preventing someone from inserting a live USB and just reading the keys?

Offline

#2 2024-04-24 21:30:27

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 23,447

Re: What is the point of LUKS if the keys are plaintext?

The device the key lies on is encrypted and can't be accessed by someone with a live usb. But generally see the warning and the notes in https://wiki.archlinux.org/title/Dm-cry … _initramfs this is only reccommended if you block access earlier in some way

Offline

#3 2024-04-25 06:39:17

MS-DTYP
Member
Registered: 2020-05-01
Posts: 30

Re: What is the point of LUKS if the keys are plaintext?

steventrouble, If you need more security, you don't need guided installer. It's better to setup Arch manually, also use a unified kernel image (UKI) and systemd-boot.

Offline

#4 2024-04-25 07:08:14

mpan
Member
Registered: 2012-08-01
Posts: 1,344
Website

Re: What is the point of LUKS if the keys are plaintext?

In LUKS the basic method is a passphrase, which is a knowledge factor (“knows”). You may replace it with an externally stored key, which is a posession factor (“has”). Observe, that both cases are offering the same number of factors: one.

You choose which one: knowledge or posession. Each of them has different properties, but neither is inherently⁽¹⁾ better than the other. So it’s not like the installer offers you a less secure option. Keep in mind: the assumption is, that this key is stored separately from the encrypted medium.

You may encrypt the USB stick too, but this is a separate thing: a second factor, another security layer.
____
⁽¹⁾ Without defining a particular threat model.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#5 2024-04-25 09:03:54

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 23,447

Re: What is the point of LUKS if the keys are plaintext?

Mod note: Moving to System Administration

Offline

Board footer

Powered by FluxBB