-
Notifications
You must be signed in to change notification settings - Fork 8
AN02: Managing LUKS key slots
If somebody wants to install two or three distributions into a system, Kaiten-yaki works perfectly. There is no problem at all.
On the other hand, some extreme cases like installing distributions as many as possible, or repeating the overwrite installation unveils the limitation of the number of the LUKS key slots. The user must understand and must manage the LUKS key slots well, to handle these cases.
This application note explains the limitations and difficulties that come from the number of LUKS key slots, and how to overcome that limitation( if possible ).
The LUKS volume has 8 key slots which can store one key hash value. In other words, the user can use 8 different keys to open a LUKS volume.
In this context, the "user" is not limited to a human being. Any software can use a passphrase to open a LUKS volume. Thus, even only one person uses a computer, multiple key slots may be used.
If a user ( or software ) feeds a passphrase to open a LUKS volume, the management software ( dm-crypt library ) scans key slots and check whether there is a matching slot or not. If there is a slot in which the stored hash value matches with the hash value of the given passphrase, that passphrase is the right one.
Kaiten-yaki uses N+1 LUKS key slots to install the N distributions in a system ( where N is an integer ).
Whenever Kaiten-yaki creates a LUKS volume(not an LVM volume), it registers a passphrase typed by the user. This passphrase is stored in the key slot 0. So, when the user types his passphrase correctly at boot time, its hash will be matched with the hash value in slot 0, by default.
In addition to the user passphrase, Kaiten-yaki uses one key slot to register the passphrase to let the Linux kernel open the LUKS volume. This passphrase is different from the user passphrase. Actually, this passphrase is random binary brock generated by /dev/random. This key is stored in the file under /etc/luks. Even somebody watches its value over the shoulder of a user, the risk is small because it is difficult to read for a human being.
Anyway, this usage defines the maximum number of Linux installed in a system. That is 7 if all are installed by Kaiten-yaki. If a user tries to install the 8th distribution in a LUKS volume with Kaiten-yaki, it will fail because there is no vacant LUKS key slot.
The overwrite installation is another case that consumes a LUKS key slot.
if the variable OVERWITEINSTALL in config.sh is set to 1, Kaiten-yaki just overwrites an existing logical volume in the LUKS volume. Also, in this case, Kaiten-yaki registers a new key file for the new installation. Thus, while the number of the installed Linux is the same, the number of the used LUKS key slot is increased.
Eventually, the user fails to install even the installed Linux is small like 2 or 3, if there is not vacant LUKS key slot.
Some users may want to delete a key slot to install another distribution. In this case, they must know which LUKS key slots are used or not.
This section explains how to investigate the used slots.
First of all, the user can list the status of all LUKS key slots. The example of this command is shown below. Slot 0, 1, and 2 are occupied:
takemasa@mate-vm:~$ sudo cryptsetup luksDump /dev/sda2 | grep -i bled
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: ENABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
If there is still a vacant LUKS key slot, the user can install another distribution without deleting the existing slot. But if there is not vacant LUKS key slot at all, the user must delete an occupied but unused slot. To know such a slot, the user must mark all the occupied and used slots.
First of all, check the LUKS key slot for the user passphrase. Run the followings command.
cryptsetup -v --test-passphrase luksOpen /dev/sdXNWhere X is a, b, c..., N is 1, 2, 3...
The command will prompt to type the passphrase to decrypt. If the user types the correct passphrase, the command shows the key slot number of that passphrase. The followings are the example:
takemasa@mate-vm:~$ sudo cryptsetup -v --test-passphrase luksOpen /dev/sda2
Enter passphrase for /dev/sda2:
Key slot 0 unlocked.
Command successful.
We can see the slot 0 is used.
Next, run the following command for each installation of distribution. This command shows the slot number which stores the key of the passphrase file passing to the kernel. /etc/luks/boot_os.keyfile is created by Kaiten-yaki, during the installation
sudo cryptsetup -v --test-passphrase luksOpen /dev/sdXN --key-file /etc/luks/boot_os.keyfileFollowings are the sample execution:
takemasa@mate-vm:~$ sudo cryptsetup -v --test-passphrase luksOpen /dev/sda2 --key-file /etc/luks/boot_os.keyfile
Key slot 2 unlocked.
Command successful.
By repeating this command inside all installations, the user can list up the occupied and used slots. The other slots are occupied but not used.
Finally, the user can delete the appropriate occupied but not used LUKS key slot by the following command.
sudo cryptsetup luksKillSlot /dev/sdXN key_slot_number_to_deleteFor the typical case like installing 2 or 3 distributions in a system, there is no problem to use Kaiten-yaki, at all.
But if users want to install as many as possible, or repeat the overwrite install, they must understand the number of the LUKS key slots.