[SOLVED] LUKS - Is that key-slot a pass phrase or a key file?

taylorkh · 01-28-2017, 11:33 AM

If I have a cryptsetup - LUKS encrypted file or partition on my system is it possible to tell if it is secured by a pass phrase or a key file? Obviously if I attempt to unlock it and have the correct pass phrase it will unlock and I will know that it uses a pass phrase. If more than one LUKS slot is filled, as I can see without providing the pass phrase if I do a luksDump

Code:

LUKS header information for /dev/sdb1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha1
Payload offset: 4096
MK bits:        256
MK digest:      70 09 c7 fb be a7 26 10 06 27 69 e9 4c 49 cd 50 3c a7 c6 e0 
MK salt:        46 d4 7b 30 69 37 85 8c d1 1d 62 14 b9 1e 28 37 
                87 43 23 e5 51 f2 9a 9c 42 7c bb ca 57 61 28 fe 
MK iterations:  62125
UUID:           5d717ba5-c665-4634-86a5-f2c76d582995

Key Slot 0: ENABLED
        Iterations:             248061
        Salt:                   09 0c 31 f2 73 60 a5 8f 1c e8 81 78 c4 fa fc 3e 
                                1d 43 82 43 61 a2 dd ed 27 bd 02 8f 06 38 a5 2c 
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             243808
        Salt:                   11 5f 56 dd e4 f7 77 39 2b e6 59 d2 4f 99 78 48                              c2 17 77 98 3c 44 58 72 04 bb e5 1e f3 a5 3e e6 
        Key material offset:    264
        AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED

Is there a way to tell if one of those slots represents a key file? Or is there some other technique/tool which can tell?

TIA,

Ken

rknichols · 01-28-2017, 12:51 PM

There is no distinction. Whichever is provided is fed into an interated hash function, the output from which is used to attempt decryption of the master key. Nothing matters about the source of that input. You can store a passphrase in a file and use that as a key file, or (if you can figure out how to insert the non-ASCII bytes) enter the content of a key file as a passphrase.

taylorkh · 01-28-2017, 01:20 PM

Thanks rknichols,

I have used both pass phrases and key files. On my servers I have the OS installed on a USB flash drive - saves a SATA port for a data drive - and have a key file in /root on the flash drive. Entries in /etc/crypttab unlock the data drives - well actually unlock the encrypted partitions on the drives.

What prompted my question... I read this week of a court case which required a person to unlock his smart phone with a finger print. This action was decided not to be protected under the 5th Amendment; just as providing a physical key to a physical save is not protected. However, providing a password from one's brain IS protected. Therefore I could be compelled to provide a key-file to decrypt a drive while I could not be compelled to provide the pass phrase to the same drive. That got me wondering if there was any way to determine that a key-file was referenced by the encrypted drive, file, partition etc.

Not that I have anything that sensitive on my servers. If I did I would take the old school approach. A thermite grenade on top of the hard drives and a trip wire across the doorway

The reason I encrypted the drives is in the event I ever have to return one for warranty replacement. It would be hard to make sure I had deleted a batch of old tax returns from somewhere on a multi-TB drive. This concept has already proved it value. I had just installed 2 new 6 TB Western Digital drives in my server and copied about 1 1/2 TB of data onto one drive when it began throwing errors. I simply unplugged it and sent it back.

Thanks again,

Ken

sundialsvcs · 02-07-2017, 07:47 AM

Well, that's not entirely true. "When you give us the pass phrase, we'll let you out and let you eat."