6

why is it a risk to clone a LUKS container?

view full story
linux-howto

http://askubuntu.com – I recently installed Ubuntu onto an encrypted partition using the LUKS+LVM combination that the 'alternate' installer offers. Now I want to create backups of my HD. From the LUKS FAQ: 6.15 Can I clone a LUKS container? You can, but it breaks security, because the cloned container has the same header and hence the same master key. You cannot change the master key on a LUKS container, even if you change the passphrase(s), the master key stays the same. That means whoever has access to one of the clones can decrypt them all, completely bypassing the passphrases. How can the exis (HowTos)

Songlist's picture
Submitted by Songlist on 06/08/2012 – Made popular on 06/08/2012

Stories similar to why is it a risk to clone a LUKS container?

I need to move a container to a different filesystem, specifically a subdir of an already mounted LUKS/dm-crypt home dir. I tried moving it there and then bind mounting or symlinking it to /var/lib/lxc/foo but when I do lxc-start -n foo just exits immediately.

Debugging output just says lxc_start - container init process exited and lxc_error - child <30146> ended on error (1).

Hi,I'm trying to have permissions with thunar to mount LUKS container (a file, not a device).I have already installed gvfs, gvfs-afc, gvfs-gphoto2, thunar-volman, and I'm in the storage group. My ~/.xinitrc simply has "exec startxfce4".

Cannot boot after last upgrade 46 weeks 5 days ago

I dualboot Arch Linux and FreeBSD, but I don't use Arch that often (mostly for gaming), so I haven't updated in a while.

I have a Debian Linux system (amd64) installed on a RAID-1 system encrypted device (LVM on LUKS) and will have a RAID-6 of >=4 disks where I'll put my data (LUKS and maybe LVM).

I think the basic idea is to unlock the system encrypted partition (at boot at local or via ssh) and to store a keyfile in /etc/crypttab for the RAID-6 encrypted partition. Does that pose a security risk ? I mean ...

My google-fu is not strong. Can't find answers on this one. Maybe I'm googling the wrong stuff.

Okay, so I just redid the server. Installed it something like this: /dev/sda1, /boot, ext2 (unencrypted) /dev/sda2, /, ext3 on luks (Planning on a swapfile if needed.)

I already asked once about LUKS unlocking of multiple HDDs in Linux: LUKS and multiple hard drives.

Now I would like to know how to secure store the keyfile used for the automatic unlock of the associated partitions.

My plan is (if possible):

Encrypt a small USB drive with LUKS that requires a passphrase Unlock it at boot as the first drive by using the passphrase Mount it to a given mount poi

Thanks for the help so far. I decided against using a keyfile and tailored a set of instructions for my goal (LVM on LUKS, passphrase, non-efi).

I've noticed that a few bad things have happened to my alternate-CD LUKS encrypted installation of Ubuntu like

gconf directory and settings disappeared Evolution sent mail from the past decade now has 36 items Also, when I ssh in from my netbook I notice that in the welcome message there's a persistent notification that

Quote:

*** /dev/mapper/udisks-luks-uuidetcetcte

I have a machine with a brand new install of Fedora 11 with luks encryption. I've added a keyfile to luks and have put that keyfile on a usb stick. I'd like the machine to boot all the way in when it's powered on with the usb stick plugged in.