Conversation

Don't build encryption tools where it's non-obvious to the user that they don't actually possess the key. 😡

Linux - accidentally used dd on a LUKS encrypted drive, is there a way to recover?

I accidentally ran dd bs=4M if=image.iso of=/dev/sda oflag=sync when creating a bootable drive instead of targeting the USB stick. I am fairly certain most of the files would be fine - the iso is o...

Rich Felker

@RichFelker

Jul 16, 2021

There should have been no way to get to that situation without: 1. Being offered the option to use the passphrase as input to a KDF, with warning about strength. 2. Being warned to store key backup on paper, and that data WILL BE GONE PERMANENTLY if you don't.

Replying to

They do use a KDF but only use the resulting key to encrypt the header. It's the approach used by most disk encryption implementations in order to allow the user to rotate the password without having to encrypt the whole drive again, only the header. Easy to make that atomic too.

Replying to

If you do that, rotation has weaker security properties. You really do need to reencrypt everything to rotate key without preserving any weakness.

Replying to

Sure, but the user wanting to change their passphrase is different than them wanting to rotate the underlying disk encryption key. It could require a lot of time and storage space or simply backing up, resetting and restoring from the backup.

Replying to

and

It's also worth noting that some devices have an SoC key wrapping feature where the OS can choose to provide the encrypted key and key derivation inputs for the key encryption to the SoC encryption module without ever being able to see the decrypted disk encryption key itself.

Replying to

and

That's how it works on iPhones. Snapdragon has a similar hardware feature and AOSP supports it but it's not actually used on the reference devices (Pixels) probably because they prefer being able to verify that the inline encryption support is actually working as intended.

Replying to

and

Even though you're setting disk encryption keys in hardware registers used to do inline decryption/encryption, you can normally check that it's working as intended by comparing the results in both directions with software. If you use the wrapped key protection, you can't do that.

Replying to

and

Is somewhat neat that even if an attacker compromises the OS when the encryption key isn't at rest, the wrapped key support will avoid it being compromised. However, that largely only does them any good if they lose that access due to verified boot and get physical access later.

2:42 AM · Jul 16, 2021Twitter Web App

Replying to

and

i.e. wrapped key protection is kind of neat but it's hard to see substantial value from it. Rotating the actual encryption key provides comparable security properties, but it's a lot of trouble. It's important that encryption is standard and always enabled so it needs usability.

Replying to

And it needs to not compromise data recovery capability. For vast majority of users, availability is more important than confidentiality. If you break it, users will hate encryption.