科技回声

9 条评论

Generally speaking hard drive encryption protects against theft and not tampering. I.e. the idea is that if your laptop or NAS is "lost and found", then you wipe the drive and restore from backup, not continue to use the drive.-Since the protocol used here is broken the fix is to change the protocol - so keep in mind that...> The former reencryption operation (without the additional digest) is no longer supported (reencryption with the digest is not backward compatible). You need to finish in-progress reencryption before updating to new packages. The alternative approach is to perform a repair command from the updated package to recalculate reencryption digest and fix metadata.Just in case you were thinking about upgrading the software during re-encryption - don't.

评论 #30108022 未加载

评论 #30108790 未加载

chopin超过 3 年前

What's still unclear to me: can you just grab an encrypted device (cold) and decrypt it? Or does the attack require a "live" device i.e one where the passphrase already have been given and the device is online?

评论 #30102085 未加载

评论 #30102160 未加载

评论 #30101976 未加载

评论 #30102766 未加载

评论 #30107630 未加载

josephcsible超过 3 年前

What does this let an attacker do exactly that they couldn't already do with a regular evil maid attack?

评论 #30102103 未加载

评论 #30102352 未加载

Aardwolf超过 3 年前

> LUKS2 online reencryption is an optional extension to allow a user to change the data reencryption key while the data device is available for use during the whole reencryption process.Since it's optional, is it possible to see if this is enabled or disabled, and how to disable it?

akeck超过 3 年前

Some people keep the LUKS2 volume header in a separate file that's encrypted (e.g., with gpg). Would someone still be able to attack a cold volume using this vulnerability in that case?

lvass超过 3 年前

I still don't get how the fix works. If I just mount an external LUKS2 device in an updated system, It's good to go?

评论 #30102284 未加载

gray_-_wolf超过 3 年前

> The attack is not applicable to LUKS1 format, but the attacker can update metadata in place to LUKS2 format as an additional step.First time I'm glad grub cannot boot LUKS2.

评论 #30108623 未加载

aborsy超过 3 年前

Could then NSA crack any LUKS encrypted container held on cloud storage such as Dropbox or GDrive (opened with a key on client side, never entered on server)?

评论 #30103506 未加载

FeistySkink超过 3 年前

Does this affect LUKS1?

评论 #30101759 未加载

9 条评论

formerly_proven超过 3 年前

评论 #30108022 未加载

评论 #30108790 未加载

chopin超过 3 年前

评论 #30102085 未加载

评论 #30102160 未加载

评论 #30101976 未加载

评论 #30102766 未加载

评论 #30107630 未加载

josephcsible超过 3 年前

What does this let an attacker do exactly that they couldn't already do with a regular evil maid attack?

评论 #30102103 未加载

评论 #30102352 未加载

Aardwolf超过 3 年前

akeck超过 3 年前

Some people keep the LUKS2 volume header in a separate file that's encrypted (e.g., with gpg). Would someone still be able to attack a cold volume using this vulnerability in that case?

lvass超过 3 年前

I still don't get how the fix works. If I just mount an external LUKS2 device in an updated system, It's good to go?

评论 #30102284 未加载

gray_-_wolf超过 3 年前

> The attack is not applicable to LUKS1 format, but the attacker can update metadata in place to LUKS2 format as an additional step.First time I'm glad grub cannot boot LUKS2.

评论 #30108623 未加载

aborsy超过 3 年前

Could then NSA crack any LUKS encrypted container held on cloud storage such as Dropbox or GDrive (opened with a key on client side, never entered on server)?

评论 #30103506 未加载

FeistySkink超过 3 年前

Does this affect LUKS1?

评论 #30101759 未加载

Decryption through LUKS2 reencryption crash recovery

9 条评论

Decryption through LUKS2 reencryption crash recovery

9 条评论