[dm-crypt] Best practice for storing header backup and protecting against mistakes/misuse.

[dm-crypt] Best practice for storing header backup and protecting against mistakes/misuse.

[Waqar Khan]

Hi,
I have read through the FAQ and its got a lot of useful information
from the backup section.

I have encrypted /home and used

cryptsetup --dump-master-key luksDump /dev/dm-2

and

cryptsetup luksHeaderBackup --dump-master-key /dev/dm-2
--header-backup-file header

to make a copy of the header incase I forget my passphrase. I bought a
encrypted USB drive to put the header on.

My first question is, if something like header corruption/ passphrase
forgotten, would I be able to restore from my USB on to the LUKS
partition and continue using /home as it was? What if I have unmounted
it or rebooted the machine.

Second, what else should I be doing in order to protect against
accidents such as above?

Lastly, a few people have access to this machine (through the same
passphrase), some work colleagues, how can I protect against one
disgruntled member leaving the company and changing the passphrase
(then unmounting the volume for good measure) and not telling anyone?

Regards

Re: [dm-crypt] Best practice for storing header backup and protecting against mistakes/misuse.

[Michael Kjörling]

On 29 Mar 2017 14:42 +0100, from waqark3389temp@gmail.com (Waqar Khan):
> My first question is, if something like header corruption/ passphrase
> forgotten, would I be able to restore from my USB on to the LUKS
> partition and continue using /home as it was? What if I have unmounted
> it or rebooted the machine.

Using the header backup requires knowledge of a passphrase that was
current at the time when the header backup was taken.


> Lastly, a few people have access to this machine (through the same
> passphrase), some work colleagues, how can I protect against one
> disgruntled member leaving the company and changing the passphrase
> (then unmounting the volume for good measure) and not telling anyone?

I would argue that the answer to this is similar to if LUKS wasn't
involved at all. How are you already handling a disgruntled employee
leaving and, as their parting gift, using `at` to schedule something
like `rm -rf /home &>/dev/null` to be run as root, or pulling a few
disks out of the rack and taking the disks with them as they leave?

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

Re: [dm-crypt] Best practice for storing header backup and protecting against mistakes/misuse.

[Arno Wagner]

On Wed, Mar 29, 2017 at 15:42:03 CEST, Waqar Khan wrote:
> Hi,
> I have read through the FAQ and its got a lot of useful information
> from the backup section.

Thanks!
[...] 
> Lastly, a few people have access to this machine (through the same
> passphrase), some work colleagues, how can I protect against one
> disgruntled member leaving the company and changing the passphrase
> (then unmounting the volume for good measure) and not telling anyone?

Simple: Have a header backup with a known passphrase and make sure 
that potentially disgruntled employee cannot kill that backup. 
Then you can just restore that header backup and use the known 
good passphrase in there. I would recommend using a passphrase
for this that is used nowhere else and is the only passphrase
in that header.

Alternatively, you could write down or print the master key on
paper and put that in a sealed envelope and that in a safe
or bank lockbox. You should probably encrypt the master-key with 
PGP/GnuPG before and will still get something that still easily 
fits on paper and can be typed in with reasonable effort, but 
is less exposed than an unprotected master key and can be stored
in a place where it is just not easily destroyed,

Of course, you can also put a header-backup on paper, but that 
takes something like 50 pages or so if you just store the first 
keyslot.

Regards,
Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: [dm-crypt] Best practice for storing header backup and protecting against mistakes/misuse.

[Waqar Khan]

Arno, Michael,

Thank you for the information.

As a follow up. I will have a decrypted version of the master key
which I got via luksDump --dump-master-key. I checked the FAQ and cant
find something on how to overwrite a key slot with a good master key.
If I have this master key, what would be the process to replace the
passphrase in keyslot 0 with a new passphrase?

This is my process so far for backup in case of header corruption or
forgetting/changing passphrase:

1: Create a header backup:

Mount my encrypted USB drive
cd /mnt/encryptedUSB
cryptosetup luksHeaderBackup --header-backup-file
{hostname_partition_header}.bin /dev/xvdb1

2: Create a backup of the key:
cryptsetup luksDump --dump-master-key /dev/xvdb1 > {hostname_partition_dump}.txt
dmsetup table --target crypt --showkey /dev/mapper/encrypted >
{hostname_partition}.key
(this is going onto an hardware encrypted USB. I might replace this
with Arno's suggestion and stick this into a safe)

3: Create a Keepass file and store the passphrase at the time
{hostname_partition_header}.bin was taken.

Any suggestions, holes in this plan?

Thanks again.

On Wed, Mar 29, 2017 at 7:32 PM, Arno Wagner <arno@wagner.name> wrote:
> On Wed, Mar 29, 2017 at 15:42:03 CEST, Waqar Khan wrote:
>> Hi,
>> I have read through the FAQ and its got a lot of useful information
>> from the backup section.
>
> Thanks!
> [...]
>> Lastly, a few people have access to this machine (through the same
>> passphrase), some work colleagues, how can I protect against one
>> disgruntled member leaving the company and changing the passphrase
>> (then unmounting the volume for good measure) and not telling anyone?
>
> Simple: Have a header backup with a known passphrase and make sure
> that potentially disgruntled employee cannot kill that backup.
> Then you can just restore that header backup and use the known
> good passphrase in there. I would recommend using a passphrase
> for this that is used nowhere else and is the only passphrase
> in that header.
>
> Alternatively, you could write down or print the master key on
> paper and put that in a sealed envelope and that in a safe
> or bank lockbox. You should probably encrypt the master-key with
> PGP/GnuPG before and will still get something that still easily
> fits on paper and can be typed in with reasonable effort, but
> is less exposed than an unprotected master key and can be stored
> in a place where it is just not easily destroyed,
>
> Of course, you can also put a header-backup on paper, but that
> takes something like 50 pages or so if you just store the first
> keyslot.
>
> Regards,
> Arno
> --
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
>
> If it's in the news, don't worry about it.  The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Re: [dm-crypt] Best practice for storing header backup and protecting against mistakes/misuse.

[Michael Kjörling]

On 30 Mar 2017 11:18 +0100, from waqark3389temp@gmail.com (Waqar Khan):
> As a follow up. I will have a decrypted version of the master key
> which I got via luksDump --dump-master-key. I checked the FAQ and cant
> find something on how to overwrite a key slot with a good master key.
> If I have this master key, what would be the process to replace the
> passphrase in keyslot 0 with a new passphrase?

If you have a full header backup, then you can use that to restore the
container header via `cryptsetup luksHeaderRestore`, or you can use a
detached header via `cryptsetup --header`.

If you have only the master key, then you can write a new header
(possibly detached) with that specific master key using `cryptsetup
luksFormat --master-key-file`. I recommend making a fresh header
backup first in that case, in case you make a mistake.

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

Re: [dm-crypt] Best practice for storing header backup and protecting against mistakes/misuse.

[Arno Wagner]

On Thu, Mar 30, 2017 at 12:57:32 CEST, Michael Kjörling wrote:
> On 30 Mar 2017 11:18 +0100, from waqark3389temp@gmail.com (Waqar Khan):
> > As a follow up. I will have a decrypted version of the master key
> > which I got via luksDump --dump-master-key. I checked the FAQ and cant
> > find something on how to overwrite a key slot with a good master key.
> > If I have this master key, what would be the process to replace the
> > passphrase in keyslot 0 with a new passphrase?
> 
> If you have a full header backup, then you can use that to restore the
> container header via `cryptsetup luksHeaderRestore`, or you can use a
> detached header via `cryptsetup --header`.
> 
> If you have only the master key, then you can write a new header
> (possibly detached) with that specific master key using `cryptsetup
> luksFormat --master-key-file`. I recommend making a fresh header
> backup first in that case, in case you make a mistake.

The procedure to overwrite the master-key is documented
in FAQ item 6.10 as well. And I fully agree, do a backup
before!

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier