0

LUKS allows multiple passphrases for a single device, however adding or revoking a passphrase doesn't take long. So the passphrases seem to only decrypt some master key which is then used for the rest of the device. Is this the case?

What's the flow of the luksOpen process? Where is this master key stored? How large are the keys? Does the master key get recreated each time you add/revoke a passphrase?

Sid
  • 101
  • 2
    Most disk encryption solutions use the pass phrase only to encrypt/decrypt a master key and LUKS is no exception. – Sven Mar 24 '16 at 15:57
  • What happens with the master key when a new key is created or one is revoked? Does the master key change at that point? – Sid Mar 24 '16 at 16:03
  • 2
    No, the master key don't get changed. This would mean you have to update all of the encrypted data and avoiding this is the whole point of this operation. Every valid passphrase or user for such kind of encryption is really a copy of the same master key encrypted with the passphrase for the user. – Sven Mar 24 '16 at 16:08
  • To be clear; if you have 3 passphrases for the device, you have 3 copies of the master key, each encrypted against a different passphrase? Is it not considered weak to give an attacker multiple ciphertexts of the same plaintext? – Sid Mar 24 '16 at 16:10
  • This is correct but I am not an expert in cryptology, so I can't answer the second part. – Sven Mar 24 '16 at 16:17

0 Answers0