[dm-crypt] LUKS header recovery attempt, bruteforce detection of AF-keyslot bit errors

Michael Kjörling michael at kjorling.se
Mon Apr 24 19:44:04 CEST 2017


On 24 Apr 2017 18:00 +0100, from dominic at timedicer.co.uk (Dominic Raferd):
> Is there any possibility that a malicious third party (disgruntled
> ex-sysadmin perhaps) gained root access to the machine during its last
> session and changed the passphrase?

Does that not require knowledge of a current passphrase? I believe it
does. Which of course said third party _could_ have.

> As an aside, of no help to OP I'm afraid: is a prior backup of the
> LUKS header a protection against this scenario (i.e. against a
> subsequently deleted, or changed and now unknown, passphrase)?

Yes. A copy of the LUKS header and a passphrase that was valid at the
time the header copy was made will allow access, as long as the master
key is unchanged (no cryptsetup-reencrypt in the interim). The only
way to mitigate this threat AFAIK is to change the master key of the
container.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


More information about the dm-crypt mailing list