Email or username:

Password:

Forgot your password?
All posts Matthew's posts Post Back to profile
Matthew Garrett

If you installed a Linux system with disk encryption more than a couple of years ago, there's a decent chance it's using a weak key derivation function and someone who cares enough would be in a position to brute-force it. mjg59.dreamwidth.org/66429.htm has more details and instructions on how to update to a better KDF.

18 Apr 2023 at 0:28 | Open on nondeterministic.computer
13 comments
f00f/eris/continuum/etc

@mjg59 hmm

i wonder if my debian 12 install upgraded from a roughly year-old debian 11 is affected

18 Apr 2023 at 0:48 | Open on kind.social
anarcat

@f00fc7c8 @mjg59 to figure out if you're affected, run this: `cryptsetup luksDump /dev/sda3 | grep -e Version` and ` cryptsetup luksDump /dev/sda3 | grep PBKDF`. unless that says "2" and "argon2id", you are affected

18 Apr 2023 at 1:12 | Open on kolektiva.social
anarcat

@f00fc7c8 note that a previous reply of mine stated that you need to grep for Digests, that's explicitly what @mjg59 tells you *not* to do. in general, don't listen to me and listen to him

18 Apr 2023 at 1:18 | Open on kolektiva.social
itsybitesyspider :pmgpurple:

@f00fc7c8 @mjg59 I have a machine that I bought 21 months ago, that has only ever run debian unstable, and another from about 10 months ago, running stable, and both came back argon2i.

So this would seem to impact statistically everything.

18 Apr 2023 at 2:45 | Open on peoplemaking.games
f00f/eris/continuum/etc

@itsybitesyspider @mjg59 Hopefully this blog post gets major distros to push out argon2id by default as a security update.

18 Apr 2023 at 3:11 | Open on kind.social
IoT is the grey goo

@mjg59 Good to raise this point.

But the article assumes the encryption must have been broken. There are numerous other ways to get access to a computer's contents, ones which police heavily favor.

18 Apr 2023 at 1:15 | Open on infosec.exchange
unixbhaskar
anarcat

@mjg59 i do wonder how one distribution (say Debian) is supposed to deal with this on upgrades... maybe we should add that to the release notes along with your procedure? i'm also considering doing such a procedure fleet-wide here... i can't help but think this is rather risky...

18 Apr 2023 at 1:27 | Open on kolektiva.social
Gabriel Adrian Samfira
Zach777

@mjg59 Great information. Boosting and replying so others see it.

18 Apr 2023 at 1:32 | Open on fosstodon.org
bbhtt

@mjg59

Upgraded mine last year and also deleted an extra unused keyslot.

I was kinda worried that I'd bork the system, so I went through all the issues re luks2 first πŸ˜… but in the end it was pretty painless.
18 Apr 2023 at 1:42 | Open on fosstodon.org
ground024

@mjg59 Thanks for the information on LUKS keys. Extremely important especially for those using it as a cloud backup option.

18 Apr 2023 at 1:55 | Open on freaknweekend.com
clacke: looking for something πŸ‡ΈπŸ‡ͺπŸ‡­πŸ‡°πŸ’™πŸ’›
@mjg59 Yeah this partition right here has seen most of the Ubuntu LTSes of last decade.
18 Apr 2023 at 4:02 | Open on libranet.de
Go Up