From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gmazyland@gmail.com>
Received: from mail-wr0-x242.google.com (mail-wr0-x242.google.com
 [IPv6:2a00:1450:400c:c0c::242])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Tue, 25 Apr 2017 18:30:03 +0200 (CEST)
Received: by mail-wr0-x242.google.com with SMTP id 6so11704235wrb.1
 for <dm-crypt@saout.de>; Tue, 25 Apr 2017 09:30:02 -0700 (PDT)
References: <a6e54426-5188-d4c7-ee7b-6f022b84bf22@depressiverobots.com>
 <f11f16b9-bbcd-4484-bc4b-403d25dc00b5@depressiverobots.com>
 <20170422002548.GA23882@tansi.org> <odfm32$fpm$1@blaine.gmane.org>
 <20170422134557.GB1425@tansi.org>
 <56144922-1d2e-b97c-3a5b-d7a952c84950@depressiverobots.com>
 <6bbee653-87c7-7145-82fe-785ab6fafece@depressiverobots.com>
 <CAF9Mo3+RqXS3ux_3C_K8T=Jur4eNinuWJ-qMqZsmVimzMqs1Dg@mail.gmail.com>
 <569e04ca-10ae-28fc-9db2-5bf0cb9daea5@depressiverobots.com>
 <CAF9Mo3LUGF6zRsdSCP9DoFReGqfuuh+xxN77no65ORy3ze_KDg@mail.gmail.com>
 <f93e698a-3d91-ae2c-fb58-de10630f55f4@depressiverobots.com>
 <odni46$efq$1@blaine.gmane.org>
 <CAF9Mo3+G8S8E_Vz8+3yGTiBgGUm+UHMDzAV-VVSQSs22ugUF_A@mail.gmail.com>
 <8434a425-d7dc-b3d6-9a7e-a93fa9d5037f@eschenberg.eu>
From: Milan Broz <gmazyland@gmail.com>
Message-ID: <c036836b-2fec-e974-2ba2-63309e92bfe4@gmail.com>
Date: Tue, 25 Apr 2017 18:30:00 +0200
MIME-Version: 1.0
In-Reply-To: <8434a425-d7dc-b3d6-9a7e-a93fa9d5037f@eschenberg.eu>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] LUKS header recovery attempt,
 bruteforce detection of AF-keyslot bit errors
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Sven Eschenberg <sven@eschenberg.eu>, dm-crypt@saout.de

On 04/25/2017 06:16 PM, Sven Eschenberg wrote:
> 
> Furthermore, everyone who had access to /dev/mem and was able to locate 
> the keys knows, them. On second thought, this holds certainly true for 
> the 'new central kernel key storage' (Forgot the name), depending on the 
> allover kernel configuration and userspace, that is.
> 
> At the end of the day dm-crypt (etc.) needs to store the key somewhere, 
> where it can be accessed at all times when an IO-Request comes in. There 
> is not that many options for that ;-).

Crypto API stores the key in memory as well (even the round keys etc), obviously.

We have already support for kernel keyring in dm-crypt (so the key will
not be directly visible in dmsetup table), this will be supported in next major
version of cryptsetup/LUKS.

But as you said, if you have access to the kernel memory, it is there anyway...

Milan