Bypass encryption by altering source code



  • In the Cryptsetup Frequently Asked Questions page it says:

    You are asked a passphrase of an existing key-slot first, before you can enter the passphrase for the new key-slot. Otherwise you could break the encryption by just adding a new key-slot.

    Is it not possible to edit the cryptsetup source code to delete this verification step, so that it is possible to bypass the encryption by adding a new key-slot? I've looked at the source code, but it's beyond my programming ability to be able to answer this question myself. I'm sure the answer is obvious.



  • I don't think that the explanation you cite is correct. A key slot just provides access to the master key of the volume - see LUKS multiple key slots - what's the intuition?. Thus adding a new key slot for an existing encrypted volume means that the current master key needs to be retrieved first, before it can be encrypted for the new key slot. To retrieve the master key one need to get it from one of the existing key slots first, which needs the matching passphrase in order to decrypt the encrypted master key.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2