About LUKS partition security
Please creat a LUKS format disk, insert another U-disk(etc.) to your
computer. In 1.1~beta1:
AccessoriesDisk
Utility>click your U-disk on the
leftFormat
drive,Format,Format>Creat
Partitionchoose FAT>Encrypt
underlying deviceCreat>input
password->Creat. Now a LUKS format partition is created.
This partition can be open in Windows by FreeOTFE:
FileLinux volume>Mount
partitionDon’t click Entire disk, just
click the partition on the picture, Ok>input your password,
now you can decrypt the LUKS volume created in Tails.
I backup the CBD of LUKS patitions created by tails-i386-1.0.1 and tails-i386-1.1~beta1, this operation don’t need password. Both CBD indicate the security information of the partition in plain text without encryption.
“LUKS aes cbc-essiv:sha256 sha1… following encrypted user password and encrypted master key(never change)”
It’s obviously a big security hole, so TrueCrypt encrypt its CBD to remove any tag, and FreeOTFE not only encrypt its CBD but also hide CBD by setting OFFSET value which user had setup when creating the partition.
Cryptsetup don’t hide its basic security information. If you choose
cryptsetup, I hope you could provide more options when creating a secure
partition or volume, algorithm AES-CBC-ESSIV is not secure enough,
AES-XTS would be better. Cryptsetup has options like: —hash, —cipher,
—verify-passphrase, —key-file, —key-size, —offset, —skip, —readonly.
Hidden partition created by offset and without any tag is the trend of
security. To gain maximum security, a FreeOTFE like software is preferd.
The following is the CBD of the partitions created by Tails.
cryptsetup Style Dump of encrypted partition created in
tails-i386-1.1~beta1
——————————-
LUKS header information for \Device\Harddisk3\Partition1
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: bf 54 8e 3e cb a2 6d 73 80 58 6c fb 6a 5b 82 5a 8e 8d db bc
MK salt: 74 1c a2 a6 14 da d9 e1 36 93 30 24 83 ec dc 68
b7 f5 79 01 90 31 73 15 d8 c3 47 c6 81 11 1b 81
MK iterations: 25500
UUID: 6e494f9d-dbeb-4ba1-baf0-ef6e158793e4
Key Slot 0: ENABLED
Iterations: 102056
Salt: 75 71 8f c1 27 99 86 7e 14 9b 3f d7 95 ec ca be
7a ee 17 0a f3 7a 44 23 4b 29 0c 34 39 fc 6b c3
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Master Key
—————
User supplied password : test
Password unlocks key slot: 0
Recovered master key :
00000000 | 67 BE FE 89 43 98 37 DF | g…C.7.
00000008 | 3A E8 91 DF 1E 7C AB 89 | :….|..
00000010 | 0F 2A 9F CC 59 3C 30 98 | .*..Y<0.
00000018 | 57 37 5E 02 84 E3 0A E2 | W7^…..
cryptsetup Style Dump of encrypted partition created in
tails-i386-1.0.1
——————————-
LUKS header information for \Device\Harddisk3\Partition1
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 2056
MK bits: 256
MK digest: 1d 5f 54 cd ce 46 59 8e 1c 56 3b 1e 6b cd f6 42 2e df e4 db
MK salt: b8 b8 d9 06 57 d9 7d 92 fc 82 e0 b7 d6 25 81 46
fa ce 4b 70 62 d8 0f 3d 3a 3e 4b ec f8 6e fc 27
MK iterations: 20500
UUID: 99a86cfc-401d-451f-98a5-922140b4ebb9
Key Slot 0: ENABLED
Iterations: 82414
Salt: 39 ed c7 4e 86 65 e5 a7 cd 18 e6 01 37 4a 6e c8
fb 4c 62 94 fb c3 e9 f3 32 13 2c 3a e1 de 3d 70
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Master Key
—————
User supplied password : test2
Password unlocks key slot: 0
Recovered master key :
00000000 | D8 BF 1B 82 75 DD D4 BF | ….u…
00000008 | 01 78 78 E5 12 DB 87 91 | .xx…..
00000010 | 64 4A 25 34 B1 4E FE 9B | dJ%4.N..
00000018 | 22 B5 08 9A A1 D1 33 12 | "…..3.
Related issues
- Is duplicate of #5929
Original created by @acraky on 7541 (Redmine)