Linux – Are there more advanced LUKS key schemes, e.g. 2 of 3 keys needed

encryptionlinuxluks

It seems like the two main LUKS encryption options are:

USB keyfile (see https://superuser.com/questions/149578/how-can-i-use-a-keyfile-on-a-removable-usb-drive-for-my-encrypted-root-in-debian)
Typing in a password

These both have weaknesses. The first can be overcome by stealing the USB drive. In the second case, a keylogger could be used, or I could be forced to give over the password.

Would it be possible to create an encryption scheme that required both of the options? Then, if I was given an injuction to provide the password, I could destroy the USB drive (e.g. burn it on the stovetop); conversely, if someone stole my USB drive, they would need to get my password as well.

It seems the existing LUKS key slot idea is that providing a key for any key slot will unlock the device, not that one has to provide a key for all, or say "2 of 3" key slots (iirc the latter can be accomplished in a cryptographically secure manner using a Galois field).

(Also, I happen to be on an OpenSuSE system, so please keep answers distro-agnostic or something that can work on SuSE.)

Best Answer

I don't think something like this exists right out of the box, but it should be possible. I'll put together some references for you.

First there's /etc/crypttab - typically you specify a key file or password in the third slot, but some distros allow you to specify an option in the fourth field called keyscript (debian and opensuse support this: http://linux.frank4dd.com/en/man5/crypttab.htm). This script (which must be in "/lib/cryptsetup/scripts" iirc) can use the third field (what would normally be just the keyfile or password) as an argument. The keyscript's job is to send the actual decryption key to stdout, which cryptsetup then uses as the luks key in the normal fashion.

Second is that you will likely need to write the keyscript. netkeyscript (in github) is an example of a keyscript that listens on a UDP multicast socket for the password; here is another more detailed example of a custom key script, complete with an implementation in sh: http://wejn.org/how-to-make-passwordless-cryptsetup.html. How you code the keyscript (which I'll just call multifactor) I leave as an exercise to you ;)

Third is the secret splitting. you can use an open source tool called "ssss" (google for "ssss-split") to split the luks password in the manner you describe. let's say you split it into 3 pieces (a,b,c) and require any 2 of them. store "a" on the usb drive, "b" in a vault, and "c" you store with the computer (unencrypted partition), or whatever. Of course you don't want "c" to be exposed, so encrypt it with a scheme of your choice using a passphrase you can remember, and call that passphrase "c0", and the encrypted "c" on your disk is "c'". Now your crypttab will look something like

root  /dev/disk/<blah blah>  /dev/<usb>:/path/to/a+$/dev/<blah>:/path/to/c'  keyscript=multifactor

what you actually will have for the third field will of course depend on what your keyscript is willing to accept

Ideally the keyscript should be able to determine that it needs your input to decrypt one or more of the keys (e.g.: c' -> c in this case), but you can use the third field to specify that as desired. In my example above, I used a leading $ to indicate that.

I'm not sure if it's possible to make the keyscript prompt for input, possibly on stderr, since any output on stdout is taken as the luks password. It would be nice if there was a sensible fallback.

Anyway, good luck and happy hacking :)

Related Solutions

LUKS Encryption – Storing Keyfile in Encrypted USB Drive

Your approach looks good. Some remarks though:

If you want to encrypt rootfs, you'll need to use initrd (to have some minimal unencrypted system that will process the encrypted partitions).

If the USB device is removable, both initrd and kernel can be stored on the USB to heighten tamper resistance (supposing you make sure the USB won't get into unauthorized hands) - which is usually why one encrypts rootfs. Once both kernel and initrd are on a removable media, you can ensure that nobody changes the kernel (or initrd) from the running system by simply removing the media.

This is of course not an option if you want to have it inside of a server, but then again the question stands whether it makes sense to have such a device at all and not to use a small partition on one of the hard-drives. If for example all drives in the machine are in RAID, one would probably want to put rootfs on the USB as well. An interesting alternative to an internally connected USB flash device could be a CompactFlash card attached to ATA interface through an adapter, by the way.

Some distributions offer prepared solutions for encrypted root, some don't - but mostly it's question of putting a couple of lines into initrd script before it tries to mount the "real" root (see for example man pages for pivot_root, usually in sections 2 (syscall) and 8 (bonary), if you're not familiar with the process).
remember to backup the keys and passphrases in case your USB drive dies. LUKS follows rather one-sided approach when it comes to damaging its header - once a single sector of its header (key-slot to be more precise) dies, you are unable to mount it. This is to make sure that erasing the header isn't effectively thwarted by block reallocation performed by the device itself (because that's what flash-memory based devices do a lot) - the key is spread over the whole key slot and one needs all of the data to reconstruct it - there is no redundancy. See Clemens Fruwirth's website for deeper discussion.

That said, maybe a simple encrypted device on the USB would be enough (check section PLAIN MODE in man cryptsetup). Or a file encrypted with e.g. openssl enc. The former might actually be an option even for the encrypted partitions themselves.

Why does LUKS need to generate hash values

The LUKS format has multiple key slots, each one may contain the encrypted master key that is used for data encryption. This master key is encrypted using another key which is derived from your passphrase.

Using plain hash_function(passphrase) to generate a key would be dumb as hashes such as sha1 can be calculated fast (SHA-1 is an example of a MAC algorithm, for authentication of a message, not to be used as plain for a password).

For data encryption based on a passphrase, you want the function to be slow to thwart brute-force attacks. For this purpose, PBKDF2 (password-based key derivation function) is used (see the excellent answers on this Sec.SE question for motivations and other examples).

derivedKey = PBKDF2(hash_function, passphrase, salt, iterations, derivedKeyLen)

The hash_function for my installation is sha1 as is shown in cryptsetup --help:

Default compiled-in key and passphrase parameters:
        Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)
Default PBKDF2 iteration time for LUKS: 1000 (ms)

Default compiled-in device cipher parameters:
        loop-AES: aes, Key 256 bits
        plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
        LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha1, RNG: /dev/urandom

The derived key length depends on the cipher used for data encryption. The number of iterations depends on your processor speed.

These details can be found in the manual page of cryptsetup (pbkdf2 should ring a bell). For other security details, see the FAQ of cryptsetup.

Best Answer

Related Solutions

LUKS Encryption – Storing Keyfile in Encrypted USB Drive

Why does LUKS need to generate hash values

Related Question