[dm-crypt] Old Passphrases - are they a security threat?
ralf+dm at ramses-pyramidenbau.de
Wed Jun 25 15:53:33 CEST 2014
On 06/25/2014 03:21 PM, Daniel Breznau wrote:
> After reading the FAQ, I’m still unclear on something - if someone knows an old passphrase to my LUKS encrypted partition, then could it somehow be used with the master key to decrypt the drive?
Only the master key is used to decrypt the drive. The passphrase is used
to derive the master key.
Changing the passphrase or removing key slots will not change the master
After removing a key slot from a LUKS volume, the passphrase of that
slot will no longer be able to derive the master key as it will be
wiped. And hence it will not be able to decrypt your volume.
So an "old passphrase" resp. old key slot is not able to unlock your
volume. But keep in mind that it actually was able to unlock your volume
before removing it. (so an old backup of the Luks header is still able
to unlock your volume).
I hope this answers your question.
More information about the dm-crypt