1

This is an encryption topic I've been confused by for a while now. From what I understand of LUKS, once the LUKS volume is opened with a passphrase and the resulting device mapper device is mounted, it can be read from and written to until the point that it is closed/unmounted, while the actual on-disk format of the data is in an encrypted form.

Let's say a server break-in was to occur while the LUKS volume is opened and mounted, whereby the root account's password was compromised and broken into by SSH. The attacker will now have full read/write access to the device.

Compare this to a file-based encryption system, such as eCryptfs. If a breach on the root account was to occur and I have sensitive data stored in, say, /home/secure - which is encrypted using eCryptfs - the attacker will not have access to this, since the /home/secure directory is not simply "unlocked" with a passphrase, as in the case of LUKS.

Have I completely misunderstood something here? I feel I have done my research from the wealth of information out there on LUKS, but I haven't found any discussion on the implications of a break-in when a LUKS volume is mounted. Thanks for any insights or clarifications given!

Aaron Hastings
  • 113
  • 3

2 Answers2

5

Full disk encryption systems like DM-Crypt, Bitlocker, Truecrypt are primarily focused on security against offline physical attacks. With a strong key/phrase they protect against your drive/computer being decrypted after having been physically stolen. They offer little or no protection at all from attacks against the OS. If your OS running, and a privileged account is compromised, the attacker will basically have full access to any information the privileged account can access.

On-demand file based encryption tools like eCryptfs will provide some additional protections, but even this is not foolproof. If an attacker has compromised your system, and you provide your password to unencrypt your files, they may be able to get your password. If your files were already open an unencrypted they will/may be able to access them.

So you basically need to understand that encryption is a single layer of a strong security. It is not a full solution. You must also harden and protect the operating system against intrusions. You should take steps to try to have any really important data decrypted for the least amount of time possible. Security must be done in layers.

Dzamo Norton
  • 123
  • 5
Zoredache
  • 128,755
  • 40
  • 271
  • 413
3

You might be confused about how eCryptFS works: a directory containing the encrypted files gets mounted into another directory - for this process you need a passphrase. And in this second directory you can then access the files in clear text.

LUKS works on block devices and eCryptFS on files, but both get mounted and you need a passphrase (or passfile) for that. So in your threat model there is no difference in security between LUKS/dm-crypt and eCryptFS.

amette
  • 31
  • 3