* [dm-crypt] LUKS partition creation date @ 2021-05-26 8:48 Valdez 2021-05-27 5:56 ` [dm-crypt] " Michael Kjörling 0 siblings, 1 reply; 6+ messages in thread From: Valdez @ 2021-05-26 8:48 UTC (permalink / raw) To: Dm Crypt [-- Attachment #1.1: Type: text/plain, Size: 176 bytes --] Could a forensic investigation of an unmounted LUKS partition on a USB flash drive used to run Tails reveal any information about the date when the LUKS partition was created? [-- Attachment #1.2: Type: text/html, Size: 315 bytes --] [-- Attachment #2: Type: text/plain, Size: 147 bytes --] _______________________________________________ dm-crypt mailing list -- dm-crypt@saout.de To unsubscribe send an email to dm-crypt-leave@saout.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* [dm-crypt] Re: LUKS partition creation date 2021-05-26 8:48 [dm-crypt] LUKS partition creation date Valdez @ 2021-05-27 5:56 ` Michael Kjörling 2021-05-27 8:04 ` Milan Broz 0 siblings, 1 reply; 6+ messages in thread From: Michael Kjörling @ 2021-05-27 5:56 UTC (permalink / raw) To: dm-crypt On 26 May 2021 10:48 +0200, from u961866@tutanota.com (Valdez): > Could a forensic investigation of an unmounted LUKS partition on a > USB flash drive used to run Tails reveal any information about the > date when the LUKS partition was created? Whether the storage device is a SATA SSD, USB flash drive, rotational fixed disk, floppy disk, or something you keep only in your brain, is immaterial to LUKS, as long as it can accurately retain and allow reading back high-entropy data. I'm also going to assume that when you say "LUKS partition", you mean a LUKS container. LUKS containers do not necessarily live inside partitions. Also, I'm not familiar with Tails specifically. However, the LUKS on-disk formats are linked to from the front page of the Wiki, at <https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home>. I'm pretty sure there are no dedicated fields for such timestamps in either on-disk format; I don't see how having them would serve any valid purpose. However, you certainly can look over the format specs if you're curious; for what they cover, they should be every bit as authoritative as anything you'll get in replies here. You can also compare them to the output of, say, `cryptsetup luksDump --dump-master-key` on a dummy container. Be aware that LUKS 2 is capable of storing arbitrary data in the header. Something would still need to put such a timestamp there, of course, but if this is a concern to you, you might consider sticking with the (older and less featureful) LUKS 1 format. As an alternative, you could set your computer's time to some other value before creating the container; _if_ something stores such a timestamp, it would then reflect that time value, not the actual real-world time of container creation. That said, some details from the LUKS header might provide clues in a very gross sense; for example, encryption algorithm, key size and key derivation function used for the container or a key slot might _hint_ at which version of the LUKS tools were _possibly_ used to create or last update it, because defaults have slowly changed over time. But then you'd probably be looking at a likely time span of years. -- Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?” _______________________________________________ dm-crypt mailing list -- dm-crypt@saout.de To unsubscribe send an email to dm-crypt-leave@saout.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* [dm-crypt] Re: LUKS partition creation date 2021-05-27 5:56 ` [dm-crypt] " Michael Kjörling @ 2021-05-27 8:04 ` Milan Broz 2021-05-27 10:54 ` Arno Wagner 0 siblings, 1 reply; 6+ messages in thread From: Milan Broz @ 2021-05-27 8:04 UTC (permalink / raw) To: dm-crypt On 27/05/2021 07:56, Michael Kjörling wrote: > On 26 May 2021 10:48 +0200, from u961866@tutanota.com (Valdez): >> Could a forensic investigation of an unmounted LUKS partition on a >> USB flash drive used to run Tails reveal any information about the >> date when the LUKS partition was created? > > Whether the storage device is a SATA SSD, USB flash drive, rotational > fixed disk, floppy disk, or something you keep only in your brain, is > immaterial to LUKS, as long as it can accurately retain and allow > reading back high-entropy data. > > I'm also going to assume that when you say "LUKS partition", you mean > a LUKS container. LUKS containers do not necessarily live inside > partitions. > > Also, I'm not familiar with Tails specifically. > > However, the LUKS on-disk formats are linked to from the front page of > the Wiki, at <https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home>. > > I'm pretty sure there are no dedicated fields for such timestamps in > either on-disk format; I don't see how having them would serve any > valid purpose. However, you certainly can look over the format specs > if you're curious; for what they cover, they should be every bit as > authoritative as anything you'll get in replies here. You can also > compare them to the output of, say, `cryptsetup luksDump > --dump-master-key` on a dummy container. > > Be aware that LUKS 2 is capable of storing arbitrary data in the > header. Something would still need to put such a timestamp there, of > course, but if this is a concern to you, you might consider sticking > with the (older and less featureful) LUKS 1 format. As an alternative, > you could set your computer's time to some other value before creating > the container; _if_ something stores such a timestamp, it would then > reflect that time value, not the actual real-world time of container > creation. > > That said, some details from the LUKS header might provide clues in a > very gross sense; for example, encryption algorithm, key size and key > derivation function used for the container or a key slot might _hint_ > at which version of the LUKS tools were _possibly_ used to create or > last update it, because defaults have slowly changed over time. But > then you'd probably be looking at a likely time span of years. Thanks for the excellent summary! Just a few more points (maybe we can later add this to FAQ): - In fact, not storing date/access time anywhere in LUKS2 was intention, I just forgot to mention it in docs. (Of course we cannot avoid this if someone implements own token metadata extension.) - LUKS2 can increase seqid (sequence id) if autocorrection updates the header. It is a simple counter, so you can just say that there was some operation (but if you have an old copy, you can say it anyway :) - libcryptsetup implements also other formats VeraCrypt, BitLocker ... (I know Tails used VeraCrypt compatible implementation in libcryptsetupo to access pre-formatted disks.) And all _metadata_ for these foreign formats are strictly read-only if accessed through libcryptsetup (even if there is some field that should be updated, libcryptsetup never writes anything there, we even do not have code for it. You cannot for example update passphrase etc through libcryptsetup.) Of course, once mounted, upper layer like filesystem can update decrypted data (and in the case of BitLocker even partially metadata as it is shared/interleaved with NTFS metadata areas). But that is outside of our code responsibility. Milan _______________________________________________ dm-crypt mailing list -- dm-crypt@saout.de To unsubscribe send an email to dm-crypt-leave@saout.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* [dm-crypt] Re: LUKS partition creation date 2021-05-27 8:04 ` Milan Broz @ 2021-05-27 10:54 ` Arno Wagner 2021-05-27 11:03 ` Michael Kjörling 0 siblings, 1 reply; 6+ messages in thread From: Arno Wagner @ 2021-05-27 10:54 UTC (permalink / raw) To: dm-crypt On Thu, May 27, 2021 at 10:04:36 CEST, Milan Broz wrote: > On 27/05/2021 07:56, Michael Kjörling wrote: > > On 26 May 2021 10:48 +0200, from u961866@tutanota.com (Valdez): > >> Could a forensic investigation of an unmounted LUKS partition on a > >> USB flash drive used to run Tails reveal any information about the > >> date when the LUKS partition was created? > > > > Whether the storage device is a SATA SSD, USB flash drive, rotational [...] > > then you'd probably be looking at a likely time span of years. > > Thanks for the excellent summary! > > Just a few more points (maybe we can later add this to FAQ): [...] Good idea, will do. Regards, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list -- dm-crypt@saout.de To unsubscribe send an email to dm-crypt-leave@saout.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* [dm-crypt] Re: LUKS partition creation date 2021-05-27 10:54 ` Arno Wagner @ 2021-05-27 11:03 ` Michael Kjörling 2021-05-27 12:05 ` Arno Wagner 0 siblings, 1 reply; 6+ messages in thread From: Michael Kjörling @ 2021-05-27 11:03 UTC (permalink / raw) To: dm-crypt On 27 May 2021 12:54 +0200, from arno@wagner.name (Arno Wagner): >> Just a few more points (maybe we can later add this to FAQ): > > Good idea, will do. Maybe the FAQ should even include a question that lists what _is_ stored in the LUKS header, with a note to the effect of "this is all there is", and a link to the respective on-disk format specification. I imagine that a summarized list that gives, for each of LUKS 1 and LUKS 2, what is stored globally and per key slot, and for each whether it's encrypted or unencrypted, would be quite informative. Yes, that should all be in the detailed on-disk format specification, but a summary would make the information much more accessible. -- Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?” _______________________________________________ dm-crypt mailing list -- dm-crypt@saout.de To unsubscribe send an email to dm-crypt-leave@saout.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* [dm-crypt] Re: LUKS partition creation date 2021-05-27 11:03 ` Michael Kjörling @ 2021-05-27 12:05 ` Arno Wagner 0 siblings, 0 replies; 6+ messages in thread From: Arno Wagner @ 2021-05-27 12:05 UTC (permalink / raw) To: dm-crypt On Thu, May 27, 2021 at 13:03:52 CEST, Michael Kjörling wrote: > On 27 May 2021 12:54 +0200, from arno@wagner.name (Arno Wagner): > >> Just a few more points (maybe we can later add this to FAQ): > > > > Good idea, will do. > > Maybe the FAQ should even include a question that lists what _is_ > stored in the LUKS header, with a note to the effect of "this is all > there is", and a link to the respective on-disk format specification. > > I imagine that a summarized list that gives, for each of LUKS 1 and > LUKS 2, what is stored globally and per key slot, and for each whether > it's encrypted or unencrypted, would be quite informative. > > Yes, that should all be in the detailed on-disk format specification, > but a summary would make the information much more accessible. That should be there for LUKS 1, in the header documentation item. Not sure what I have in there for LUKS 2 at the moment, I think that part is just a reference to the documentation. I take your point though, a summary that allows a quick check would be handy to have in the FAQ as well. Let me think about it. Regards, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list -- dm-crypt@saout.de To unsubscribe send an email to dm-crypt-leave@saout.de ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-05-27 12:08 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-05-26 8:48 [dm-crypt] LUKS partition creation date Valdez 2021-05-27 5:56 ` [dm-crypt] " Michael Kjörling 2021-05-27 8:04 ` Milan Broz 2021-05-27 10:54 ` Arno Wagner 2021-05-27 11:03 ` Michael Kjörling 2021-05-27 12:05 ` Arno Wagner
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).