[dm-crypt] What are the security implications if I have the key using dmsetup?

Arno Wagner arno at wagner.name
Tue Nov 15 23:33:20 CET 2011


On Tue, Nov 15, 2011 at 11:37:50AM +0530, saurabhasamanta at bel.co.in wrote:
> I am new to disk based encryption techniques . I have encrypted the disk
> using cryptsetup. I used dmsetup tool where I am able to see the table
> with the keys and encryption details. Following steps were followed
> 1. Encrypting of the disk (pendrive) using "cryptsetup"
> 2. Creating the file system using "mkfs"
> 3. Mounting of disk
> 4. Unmounted the disk.
> 5. Reinserted the disk
> 6. Used "dmsetup table --showkeys" to get the table.
> 7. Used the table values and dmsetup tool to mount the disk.
> Question I would like to ask:
> 1. Is this a loophole or vulnerability that key is accessible?

No. If you are root on a Linux system, you can read the whole
memory anyways, and the key is somewhere in the memory image.
Also if the container is mapped, root can access anything in it

> 2. What are the security implications if I have the key using dmsetup?

None. Unless you store it somewhere. For a discussion of
LUKS header backups and storing the master key, see the
cryptsetup FAQ.

> 3. How secure is my disk ?

Answering that question requires a full risk analysis.

> 4. Is there any solution to hide the key from getting exposed?

Protect your root account.

It seems, however, what you did forget in your test was to 
unmap the encrypted container. Until you do, the key is in 
memory. Unmounting does not remove that mapping. Use
"cryptsetup remove <device mapped to>" for plain and
"cryptsetup luksClose <device mapped to>" for LUKS
containers to remove the mapping, which also removes the key 
from memory.


> Thank you.
> Confidentiality Notice
> The information contained in this electronic message and any 
> attachments to this message are intended for the exclusive use of
> the addressee(s) and may contain confidential or privileged 
> information. If you are not the intended recipient, please notify
> the sender at Bharat Electronics  or support at bel.co.in immediately
> and destroy all copies of this message and any attachments.
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

More information about the dm-crypt mailing list