Re: Vulnerability with compromised geli credentials?
This post if a part of this thread
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
Re: Vulnerability with compromised geli credentials? |
Re: Vulnerability with compromised geli credentials?
This post if a part of this thread
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
e-arroyo.net> wrote:
>
> I'm not really a developer, but was considering if
there is a key
> vulnerability in geli given that when you change a key
there isn't a
> disk update.
>
> Consider the scenario where a new file system is
created and populated
> with some files. At a later time the original key is
changed because
> someone has gained access to the key and passphrase. A
new key is
> generated and attached, but none of the files are
modified.
>
The data is encrypted with a random master-key that's
generated during
the init stage. That key is itself encrypted with a user-key
generated
from the passphrase and keyfile, and the encrypted masterkey
is stored
on the disk. The master-key itself is never changed; if the
new files
were encrypted with a different key you wouldn't be able to
read the
old ones.
_______________________________________________
freebsd-security