[dm-crypt] Using a removable-device-recorded passphrase to decrypt a system

Arno Wagner arno at wagner.name
Fri Jun 26 15:19:45 CEST 2015

Hi Heinz,

I doubt it. It is a valid question, bit also one any halfway
competent implementor of crypto on Linux has to ask themselves.

Without verifying what is actually done (Milan is the expert for 
that), I assume:

- Passphrases get stored only in locked memory and that does
  not get swapped. (Root permissions are needed anyways for
  setting up any mapping. E.g. GnuPG has a harder job here
  as it does not necessarily run as root. AFAIK it uses a
  suid second stage exactly for the purpose of having locked
- Passphrases are wiped from memory as soon as possible.
- I have no idea whether locked memory can end up in a 
  core-dump, but usually these are disabled anyways.
- In-kernel keys are protected against leaking to disk.

The thing is, system encryption is not easy to do and conceptually
does not help a lot. If it was necessary to prevent having
passphrases/keys to disk, that would be a major security flaw
in the handling of said passphrases/keys and it would affect 
other things as well, like GnuPG, OpenSSL, etc. and so I hope
somebody would have complained by now if that was a real issue.


On Fri, Jun 26, 2015 at 14:59:18 CEST, Heinz Diehl wrote:
> On 26.06.2015, Arno Wagner wrote: 
> > My advice is to not encrypt the system partition itself, just
> > all user and data partitions.
> I wonder if the passphrase could leak to the unencrypted system partition in such
> a scenario. E.g. memory contents dumped to disk while crashing or
> similar. In fact, I don't know what is possible or not, I'm just
> curious..
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

More information about the dm-crypt mailing list