key rollover page: cryptsetup

To: debian-www@lists.debian.org
Cc: team@security.debian.org
Subject: key rollover page: cryptsetup
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 16 May 2008 22:32:59 +0200
Message-id: <[🔎] 20080516203259.GA3394@galadriel.inutil.org>

>From David Härdeman and Jonas Meurer.

cryptsetup
==========

Cryptsetup itself does not use openssl for encryption (this applies to
both LUKS and dm-crypt devices).

*If* cryptsetup has been configured to use SSL-encrypted keyfiles (a
non-default setup which must be explicitly configured by the user)
and a broken version of openssl was used to generate the keyfile, the
keyfile encryption may be weaker than expected (as the salt is not
truly random).

The solution is either to re-encrypt the keyfile (if you are
reasonably certain that the encrypted key has not been disclosed to to
any third parties) or to wipe and reinstall the affected partition(s)
using a new key.

Instructions for re-encrypting a keyfile:

Do the following for each SSL-encrypted keyfile, replacing
<ssl_encrypted_key_path> with the path to the actual keyfile:

tmpkey=$(tempfile)
openssl enc -aes-256-cbc -d -salt -in <ssl_encrypted_key_path> -out "$tmpkey"
shred -uz <ssl_encrypted_key_path>
openssl enc -aes-256-cbc -e -salt -in "$tmpkey" -out <ssl_encrypted_key_path>
shred -uz "$tmpkey"

Reply to:

Follow-Ups:
- Re: key rollover page: cryptsetup
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: key rollover page: boxbackup
Next by Date: Re: krb5 / Lenny status
Previous by thread: Re: key rollover page: boxbackup
Next by thread: Re: key rollover page: cryptsetup
Index(es):
- Date
- Thread