[dm-crypt] pashphrase management question

Arno Wagner arno at wagner.name
Thu Oct 27 09:55:35 CEST 2016

On Thu, Oct 27, 2016 at 01:17:42 CEST, Robert Nichols wrote:
> On 10/26/2016 11:43 AM, ClEmFoster wrote:
> >hello,
> >
> >The setup:
> >
> >I work in an environment that has a whole disk encryption requirement for
> >VMs.  If the VM is restarted an admin has to hit the console and type in
> >the passphrase to boot.  This is OK, we don't reboot much, and security
> >guys are happy.  The problem is they are going to start requiring that
> >these machines also receive a passphrase change every 3 or 6 months.  That
> >brings me to the question.
> Are "they" aware that anyone who has had read access to the device
> with the LUKS container has had an opportunity to copy the LUKS
> header, and can always use that LUKS header with the old passphrase
> to unlock the container (perhaps after spending however much time
> and processing power is needed to crack that passphrase offline).
> For that matter, anyone with root access to the VM while the LUKS
> container is unlocked can easily obtain the master key
> (dmsetup table --showkeys /dev/{whatever}) and can always access
> the LUKS container with that.
> Changing the passphrase doesn't protect against any of that.

This is probably just the usual "cargo-cult" security, i.e.
follow the ritual (a.k.a. "Process") without question,
because that would require understanding.

Regular passphrase changes on storage-encryption make 
absolutely no sense and gives you absolutely no
protection benefit (unless you have told somebody
that should not know, in which case you need to change 
them immediately).

I would try to give "them" a definition of the LUKS
passphrase that does not make it a "password" or 
"login credential", and with a bit of luck you can
negate thereby prevent the usuall "password" process
and its requirements from applying. 

One approach would be to make this a "technical secret" 
or the like. After all, they probably to not require, 
say,  passphrases protecting certificates to be changed 
regularly, because that would be relatively difficult.

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

More information about the dm-crypt mailing list