Como posso obter um HASH da chave mestra LUKS?

3

De: link

6.15 Can I clone a LUKS container?

You can, but it breaks security, because the cloned container has the same header and hence the same master key. You cannot change the master key on a LUKS container, even if you change the passphrase(s), the master key stays the same. That means whoever has access to one of the clones can decrypt them all, completely bypassing the passphrases.

The right way to do this is to first luksFormat the target container, then to clone the contents of the source container, with both containers mapped, i.e. decrypted. You can clone the decrypted contents of a LUKS container in binary mode, although you may run into secondary issues with GUIDs in filesystems, partition tables, RAID-components and the like. These are just the normal problems binary cloning causes.

Note that if you need to ship (e.g.) cloned LUKS containers with a default passphrase, that is fine as long as each container was individually created (and hence has its own master key). In this case, changing the default passphrase will make it secure again.

Eu tenho dois notebooks com acesso root instalados com o LUKS. Não sei se originalmente eles estavam CLONADOS ou não.

Minha pergunta : Como posso criar um HASH (ex .: sha512) a partir das chaves mestras LUKS, para que eu possa comparar as duas, se elas forem iguais ou não?

    
por evachristine 15.03.2014 / 11:15

3 respostas

2

Obrigado pelas respostas, criei um comando sed para ele:

[root@notebook ~] test 'whoami'=root && k='cryptsetup luksDump -q --dump-master-key $(blkid | awk '/crypto_LUKS/ {print $1}' | cut -d: -f1 | head -1)' && echo "$k" | sed 's/^MK dump:/Fgkmtusjs\nMK dump:/g' | sed '1,/^Fgkmtusjs/d' | sed 's/.*\t//g' | sha512sum | sed "s/\-/'hostname'/g"
Enter LUKS passphrase: 
d78abb0542736865f94704521609c230dac03a2f369d043ac212d6933b91410e06399e37f9c5cc88436a31737330c1c8eccb2c2f9f374d62f716432a32d50fac  notebook.localdomain
[root@notebook ~]

testado em: Scientific Linux 6.4; Ubuntu 12.04

    
por 16.03.2014 / 10:31
3

Você pode usar

cryptsetup luksDump --dump-master-key /dev/whatever

para obter a chave mestra. Claro, você pode alterar a saída para torná-lo seguro para o transporte:

cryptsetup ... | tail -2 | sed 's/^\(.*:\)\? *//' | sha1sum
    
por 15.03.2014 / 13:53
1

Você pode despejar a chave mestra usando o --dump-master-key flag para luksDump :

cryptsetup --dump-master-key luksDump /dev/sda3

Exemplo:

root@heredia:~# cryptsetup --dump-master-key luksDump /dev/sda3 

WARNING!
========
Header dump with volume key is sensitive information
which allows access to encrypted partition without passphrase.
This dump should be always stored encrypted on safe place.

Are you sure? (Type uppercase yes): YES
Enter passphrase: ********
LUKS header information for /dev/sda3
Cipher name:    aes
Cipher mode:    xts-plain64
Payload offset: 4096
UUID:           5f930991-3f91-47a4-b7ba-a40a3059f6bb
MK bits:        512
MK dump:        ab cd ef 00 01 02 03 04 05 ....

Observe que isso não despeja um hash (como você pediu), mas sim a chave mestra real ...

    
por 15.03.2014 / 13:59

Tags