Bug#723729: partman-crypto: LUKS master key is read from /dev/urandom
Package: partman-crypto
Severity: important
Tags: d-i
Hello,
it seems that upon initialization of encrypted volumes, the LUKS master
key is created by reading "entropy" from /dev/urandom which means that
in case the kernel is low on entropy at the time of volume creation,
the volume will be vulnerable to cryptanalysis. This is very, very
bad, it puts our users at risk.
Sadly, this insecure method for creating the master key is the default
and cryptsetup requires explicit specification of the "--use-random"
switch for /dev/random to be used instead, cf.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714331
I understand that machines without entropy sources will block when
reading from /dev/random, but I sincerely believe that it is
irresponsible to cover that up by silently degrading encryption,
instead of alerting the user to that fact.
Thus I propose to change setup_luks() to:
1. By default, run cryptsetup with "--use-random" in a backgrounded
job.
2. In case the job doesn't return within a couple of seconds, instruct
the user to a) either press keys until enough entropy has been
gathered or b) select "Cancel" and continue in unsafe manner. If the
user choses b), kill cryptsetup and re-run it with "--use-urandom".
3. In case of unattended installs, abort the installation if cryptsetup
doesn't return within say 60 seconds.
4. Add a config option ("allow unsafe master key") to allow pre-seeding
of "--use-urandom".
Best regards,
Thiemo
Reply to: