[dm-crypt] Key-Slot Checker Tool

Milan Broz gmazyland at gmail.com
Sun Sep 9 10:27:44 CEST 2012

On 09/09/2012 02:41 AM, Arno Wagner wrote:
> Hi all.
> I just wrote a very simple key-slot checker. It divides all 
> active keyslots into 512 byte sectors and calculates entropy
> for each. For valid encrypted data, entropy will be close
> to 0.95 on average (would be 1, but this is sample entropy,
> calculated on a limited data set).

Yes, this is something very useful.

But 512 slots is quite small chunk of random data, there will be
some false warnings I guess.
(Adding add test for the whole keyslot combined
with separate sectors? Not sure if it helps something though...)

(Well, and it cannot obviously detect corruption with
overwriting random data :)

> No fancy output, no library usage (but verifies LUKS version), 
> support for non-default key-sizes and setting your own entropy 
> threshold. I put in 0.85 as default threshold, which should work 
> well. 
> Now I am not sure where to put it. Should I put it in
> misc/ in the sources? That seems to be sort of a contrib/
> directory. Or should we add a section in the Wiki for
> tools?

Parsing header on its own is something which should
not be even in misc section (in the worst case it should
include luks.h directly).

But anyway, this could be integrated into luks
format checker directly (and run in "check" cryptsetup command).
(And the same random test perhaps should be in tests for large
enough blocks - see tests/differ.c, there is nice fixme :-)

I am just not sure introducing floating point in libcryptsetup
is good idea. But perhaps this can be compile time option,
if some ancient/embedded CPU/distro has problems here,
so it can be compiled-out.


More information about the dm-crypt mailing list