Split dm-crypt 0.1.0
59 views
Skip to first unread message
Rusty Bird
Sep 8, 2016, 2:12:09 PM9/8/16
to qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
I've worked on this mostly out of stubbornness :), but maybe it is
useful for someone here. README.md pasted below.
https://github.com/rustybird/qubes-split-dm-crypt
Rusty
# _Split dm-crypt_ for Qubes R3.2-rc3 and later
**Isolates device-mapper based secondary storage encryption (i.e. not
the root filesystem) and LUKS header processing to DisposableVMs.**
Instead of directly attaching an encrypted LUKS partition from a source
VM such as sys-usb to a destination VM and decrypting it there, it works
like this:
1. The encrypted partition is attached from the source VM to a
(long-lived) offline _device DisposableVM_ configured not to parse
its content in any way: The kernel partition scanners, udev probes,
and UDisks handling are disabled.
2. From there, the LUKS header is sent to a (short-lived) offline
_header DisposableVM_ prompting for the password, and the encryption
key is sent back to the device DisposableVM, which validates that it
received an AES-XTS key and creates the dm-crypt mapping.
3. Finally, the decrypted partition is attached from the device
DisposableVM to the destination VM.
**If the destination VM is compromised, it does not know the password or
encryption key. It also cannot easily exfiltrate decrypted data to the
disk in a form that would allow an attacker who seizes the disk contents
later to read it.** (But see below for caveats.)
## Usage
The `qvm-block-split` attach/detach commands accept a subset of the
familiar `qvm-block` syntax, and some other commands are included:
- - Fully overwrite a device with random data
- - Overwrite just the LUKS header with random data
- - Format a new LUKS device with modern crypto parameters: AES-XTS with
256+256 (instead of 128+128) bit keys, SHA512 (instead of SHA1) PBKDF2
key derivation with 5 (instead of 0.1) seconds iteration time
When attaching, the destination VM argument can be omitted, in which
case the decrypted disk will be attached to yet another offline
DisposableVM.
```
qvm-block-split --attach|-a [--ro] [<dst-vm>] <src-vm>:<device>
--detach|-d <src-vm>:<device>
--overwrite-everything=random <src-vm>:<device>
--overwrite-header=random <src-vm>:<device>
--overwrite-header=format <src-vm>:<device>
--overwrite-header=shell <src-vm>:<device>
--modify-header=shell <src-vm>:<device>
```
## Remaining attacks
- - After detaching, the password and/or key will linger in more RAM
locations than without _Split dm-crypt_. Until there is a way to wipe
the DisposableVMs' memory, and `qvm-block-split` is modified not to
pass the key through dom0's memory, **power off your computer when
memory forensics is a concern.**
- - If both the destination VM and the source VM/disk are compromised,
they could establish a covert channel using e.g. read and write access
patterns, slowly saving some amount of decrypted data to the disk.
- - If the source VM/disk is compromised and successfully exploits the
header DisposableVM using a malicious LUKS header, a known AES-XTS key
could be sent to the device DisposableVM and used to present malicious
device content to the destination VM to potentially exploit it as
well. **Be suspicious if you do not see the expected filesystem data
in the destination VM. Or simply use a DisposableVM as the destination
VM.**
- - **Don't forget to overwrite your disk with random data before creating
a LUKS volume on it.** Otherwise, a compromised destination VM could
trivially save decrypted data to the disk in its free space, by
encoding each bit as an unmodified (still empty or in some other way
nonrandom-looking) or modified (random-looking) 128 bit AES block.
## Installation
1. Copy `vm/` to the DisposableVM template, inspect the code, and `sudo
make install` there; also install the `pv` (Pipe Viewer) package to
be able to run the `--overwrite-everything=random` command. Shut down
the template when finished.
2. Copy `dom0/bin/qvm-block-split` to dom0, e.g. into `~/bin/`, inspect
the code extra carefully, and `chmod +x` the script.
## Safety warning
The code's error handling is strict, and I haven't experienced any data
loss during development. Nevertheless, this is an early release. Please
**ensure you have a backup of all drives that are connected to your
computer.**
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJX0anuXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfRkkQAI0BIUItYTgf+BNbgAyaykr1
3P+47IUZi0VaLgR0B6+7rRx/9KFkil1dUViz46PvkgD79S71Gl/ThIDSDayBCYmF
Jpk0dwiscKXDZq6EfWVD3Bg0rYdXlmTeSEJn7jnNA35Vm4W9eS+tTdxNnsWhDpVb
97LD/muCgQHYqV8LcSLFcf4wxHMHC8zTh/ytC4ZCkgB+jNHJeJI6xMN8BnGemrMf
3sms1aj72pvg1rcRwlowWo9ib0Yl8Clav0s4308VuaOo2cPFknoDxIpnNloFMd15
RkXVPktoExSICFZKpuIdruEtcGswlxGlcqt3vGiUl1AkhCuJa8OARbfPlquupU+5
iDAWV3AcsAKR8xYL2eHSxIO1HsTU1PapsgsUSEEtviPe6x9wdWBijFk697Z+tabL
aEwVYLPL58L2V3HHVeddc39k352Bmw7hvYAjuqWzoV3+9PS5Jz2fm64ziqC4S2XZ
eGII4wPTH9+n3oYelXh98kx9YZUl0DBVcz9QgMSpgrzevd6h9GI3vVIeyosidj4z
VPy5KKKBwq3R1B7jCg2JVjSRu+uk6nqt9p7Z/XU+jKsYZjhoC+NgjcNr2djD22Tr
ruaza4DWhqUcoOjPdxu3bIvBy5fW6ZIIfe3RtRjI7bsK1Tc08SvIZ4Hlg+H1ifhF
c0o1hc3WoO42zSZO7oaW
=3QM0
-----END PGP SIGNATURE-----
Hash: SHA512
Hi,
I've worked on this mostly out of stubbornness :), but maybe it is
useful for someone here. README.md pasted below.
https://github.com/rustybird/qubes-split-dm-crypt
Rusty
# _Split dm-crypt_ for Qubes R3.2-rc3 and later
**Isolates device-mapper based secondary storage encryption (i.e. not
the root filesystem) and LUKS header processing to DisposableVMs.**
Instead of directly attaching an encrypted LUKS partition from a source
VM such as sys-usb to a destination VM and decrypting it there, it works
like this:
1. The encrypted partition is attached from the source VM to a
(long-lived) offline _device DisposableVM_ configured not to parse
its content in any way: The kernel partition scanners, udev probes,
and UDisks handling are disabled.
2. From there, the LUKS header is sent to a (short-lived) offline
_header DisposableVM_ prompting for the password, and the encryption
key is sent back to the device DisposableVM, which validates that it
received an AES-XTS key and creates the dm-crypt mapping.
3. Finally, the decrypted partition is attached from the device
DisposableVM to the destination VM.
**If the destination VM is compromised, it does not know the password or
encryption key. It also cannot easily exfiltrate decrypted data to the
disk in a form that would allow an attacker who seizes the disk contents
later to read it.** (But see below for caveats.)
## Usage
The `qvm-block-split` attach/detach commands accept a subset of the
familiar `qvm-block` syntax, and some other commands are included:
- - Fully overwrite a device with random data
- - Overwrite just the LUKS header with random data
- - Format a new LUKS device with modern crypto parameters: AES-XTS with
256+256 (instead of 128+128) bit keys, SHA512 (instead of SHA1) PBKDF2
key derivation with 5 (instead of 0.1) seconds iteration time
When attaching, the destination VM argument can be omitted, in which
case the decrypted disk will be attached to yet another offline
DisposableVM.
```
qvm-block-split --attach|-a [--ro] [<dst-vm>] <src-vm>:<device>
--detach|-d <src-vm>:<device>
--overwrite-everything=random <src-vm>:<device>
--overwrite-header=random <src-vm>:<device>
--overwrite-header=format <src-vm>:<device>
--overwrite-header=shell <src-vm>:<device>
--modify-header=shell <src-vm>:<device>
```
## Remaining attacks
- - After detaching, the password and/or key will linger in more RAM
locations than without _Split dm-crypt_. Until there is a way to wipe
the DisposableVMs' memory, and `qvm-block-split` is modified not to
pass the key through dom0's memory, **power off your computer when
memory forensics is a concern.**
- - If both the destination VM and the source VM/disk are compromised,
they could establish a covert channel using e.g. read and write access
patterns, slowly saving some amount of decrypted data to the disk.
- - If the source VM/disk is compromised and successfully exploits the
header DisposableVM using a malicious LUKS header, a known AES-XTS key
could be sent to the device DisposableVM and used to present malicious
device content to the destination VM to potentially exploit it as
well. **Be suspicious if you do not see the expected filesystem data
in the destination VM. Or simply use a DisposableVM as the destination
VM.**
- - **Don't forget to overwrite your disk with random data before creating
a LUKS volume on it.** Otherwise, a compromised destination VM could
trivially save decrypted data to the disk in its free space, by
encoding each bit as an unmodified (still empty or in some other way
nonrandom-looking) or modified (random-looking) 128 bit AES block.
## Installation
1. Copy `vm/` to the DisposableVM template, inspect the code, and `sudo
make install` there; also install the `pv` (Pipe Viewer) package to
be able to run the `--overwrite-everything=random` command. Shut down
the template when finished.
2. Copy `dom0/bin/qvm-block-split` to dom0, e.g. into `~/bin/`, inspect
the code extra carefully, and `chmod +x` the script.
## Safety warning
The code's error handling is strict, and I haven't experienced any data
loss during development. Nevertheless, this is an early release. Please
**ensure you have a backup of all drives that are connected to your
computer.**
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJX0anuXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfRkkQAI0BIUItYTgf+BNbgAyaykr1
3P+47IUZi0VaLgR0B6+7rRx/9KFkil1dUViz46PvkgD79S71Gl/ThIDSDayBCYmF
Jpk0dwiscKXDZq6EfWVD3Bg0rYdXlmTeSEJn7jnNA35Vm4W9eS+tTdxNnsWhDpVb
97LD/muCgQHYqV8LcSLFcf4wxHMHC8zTh/ytC4ZCkgB+jNHJeJI6xMN8BnGemrMf
3sms1aj72pvg1rcRwlowWo9ib0Yl8Clav0s4308VuaOo2cPFknoDxIpnNloFMd15
RkXVPktoExSICFZKpuIdruEtcGswlxGlcqt3vGiUl1AkhCuJa8OARbfPlquupU+5
iDAWV3AcsAKR8xYL2eHSxIO1HsTU1PapsgsUSEEtviPe6x9wdWBijFk697Z+tabL
aEwVYLPL58L2V3HHVeddc39k352Bmw7hvYAjuqWzoV3+9PS5Jz2fm64ziqC4S2XZ
eGII4wPTH9+n3oYelXh98kx9YZUl0DBVcz9QgMSpgrzevd6h9GI3vVIeyosidj4z
VPy5KKKBwq3R1B7jCg2JVjSRu+uk6nqt9p7Z/XU+jKsYZjhoC+NgjcNr2djD22Tr
ruaza4DWhqUcoOjPdxu3bIvBy5fW6ZIIfe3RtRjI7bsK1Tc08SvIZ4Hlg+H1ifhF
c0o1hc3WoO42zSZO7oaW
=3QM0
-----END PGP SIGNATURE-----
Andrew David Wong
Sep 9, 2016, 8:24:17 PM9/9/16
to Rusty Bird, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJX01KbAAoJENtN07w5UDAw2B8P/A/WScgz5BbqsMQkThqHCgR2
+wTYX2KQa3Gif32dfazQ4w9Wc1y1d7Djd5jkPbWULx6Jc0N/IOQZPVjYOC350QdK
W9W+DNY68HH1KzE2YVzGUvN+I48RvTNMZk8xSQq9pYlxnnx8w+cHH3/yIgvmb7ls
7bKdbSVPLDnRA7KM4jHKp5PwWCuKs/ogKimIIFMJ+51bYNDlY+9Zvhx2H0bZ+4Vp
/R0nGhuHHpP6qE1FDtaanLcXQ78LEHVY36nObgW5QYeZLStIj36p7PTz3MvdhfL4
fb9xOp8TPOfbRcmTgX4STGe9qJJEtbwMlhuhcAAg+ItiB8NoVtNjW5B0kWjP3ua1
gXbQVhTGWFf0+puqBKMPm4p/EgEYp013zP2Zx+ckEgL7itoAON/XtY7ayqQc6g58
Ww5wHSRC+sujJiTnF7rIf6HE9v+gg0dhvzjlUdDr4VRfky0rdsotlCLJXNM2ocAX
2A6nXtb5SQwrN0bybBeiKMpISRSLe7YqSk2irC8nMR6TF5Pxl7fqlh6L9W5hIhU9
8ALvDJQQW6rzUwXGHhrDvO8zwielfTZuJ6M/7faSS3dm6naCRoVUfTev5dCIgm9l
Zbpnq6KsvcfhSHjI8uwGAZWYeIRPBJBqGQYk0KHAabl9nkWxLtEMDBuyj7MxKGiC
gMqGtX0WwAehPNaoH7RL
=wcEN
-----END PGP SIGNATURE-----
Rusty Bird
Sep 10, 2016, 4:16:27 AM9/10/16
to qubes-users, Andrew David Wong
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Andrew!
Hash: SHA512
>> https://github.com/rustybird/qubes-split-dm-crypt
> This looks great, Rusty! Thank you!
https://www.qubes-os.org/doc/encryption-config/. The 5 sec iteration
time hits a nice balance.
Rusty
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJX08FSXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfQZ4P+wY89oHl3mUBpv3JJHJyg+aU
+XqBn37f3uMReCmXZUhoRZGkjFYV9HBStrKPYDT2Og3Tc56Lw6J/48m4Yb8rXMnh
6+i1HDYmqBA9CBGTCvFFv/+S85vWF9RGqTWYr8aqkX8YqxmbEFp0RU1qqXTK2Dm1
sO9YmWgMp+4R/qagdJ2OCG5Rrx/cAJEu53e51Y6YcAaJkvsY85z8XNYdo7gSOGTx
WvDwRyAZT9GGxseeLzxu3S0cVyq+uWww6wtwNPnYl5DLFVeum3RlNDYvJDXm/+4X
fTUvRJGLmMWHcs0/xQqgLjeIhFaAi/kNRI3OLi/jRx2bSQk4b6Pv9tEaVupmIwFF
lGSv+IjQjLrGOvLxizV3ZLZQvLG/ZDX18BjCbZNZCHL6SqY8Yv2kOZMPNPa5BL+O
/GEkc+ij89NeQPvr0Q42K++ypvO2XllxKA+U8YBAVbXMbDD+2SZF2H+eJeVzBAG0
Bs4ewKONNqTT3nGocX915tlj7+XW61OMQa0riiIY+5nt2/WrIWcUkIkLXzC7doPc
1Fkxc4170vgScYbJMnIMxIhR1DRvpLSuYNlscKUJyhFLh+sAkyXsTE3X+h/m+3pI
hqdoMrJb+Jiz6ZdgE1zRb4ru/BIdUt8+V6AzcyWow/VB/hqGT6JSHBVtlJGqgd83
Aj6CMermoytakjKEMwaD
=LfiK
-----END PGP SIGNATURE-----
Rusty Bird
Sep 10, 2016, 4:19:45 AM9/10/16
to qubes...@googlegroups.com, Andrew David Wong
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
> https://github.com/rustybird/qubes-split-dm-crypt
Hash: SHA512
If anyone has been using this already, please update to version 0.1.1
which contains a security bugfix.
Rusty
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJX08IXXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfiXkP/296qW+raC+ku/86uRh4NIgx
DFufItk6a7LE1uEHjSKWh2liM5oFu1kimOkYaewl9A7ZbDgVCJ767BRLvbPpvaER
uNW/A9qnTojQ1wGIhqSUye0iChAfDHU8TfdkBofMP6bMIcNSZg+gdqJS1EpphSww
uoyHk+flzvETf8WjbPiTJn5mUFITQw7U+Dpv/tbUCdmI2V1051AT3RpDShzTtfgT
5M94BNNT+BW4rZnCvPSWp2AgGJBXXwacQvizPRvwgqBfgOm/KNbHt8VSbcco/5tV
uxM15x8fH66UpI8LxSXEkCgfpUoidBBcQKzWylzH3ggRQP9L/09Ph+iOCpWzU3SF
yOuPVUaPpzRQbq7Rr1q5lZNFDVHTKew6PVZR5yYUm2eyJQerPYPU4InoTjQAM3te
UkUjEWkdpCffACKL3DUpSavErkJefwadXIBPHssluTOwa4rGPm8kgJhm1rdZm3xj
dTE4v25aR414Ty/VXOFzjwAHpdGbZvq3dbgQs0+GyCqjE8JSJps42a2XuUsGDypZ
hsYrUFDiGBEmiIucgHed2gsEIahxM7p6lz3CTmghFD5skp+ngmnuNjEWFiuFD1UB
lBAxmdljABI+VsrW7EGFJ3CuJv83pQOMy0HqwVeFehyeyWtkdxbcKqjbO676bKUG
DZ1QuKeJzXatRJoX1ZPd
=Fe+2
-----END PGP SIGNATURE-----
Andrew David Wong
Sep 15, 2016, 4:54:43 AM9/15/16
to Rusty Bird, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 2016-09-08 11:11, Rusty Bird wrote:
> Hi,
>
> I've worked on this mostly out of stubbornness :), but maybe it is
> useful for someone here. README.md pasted below.
>
> https://github.com/rustybird/qubes-split-dm-crypt
>
> Rusty
>
Added a link to the Qubes doc index so that people can find
>
> I've worked on this mostly out of stubbornness :), but maybe it is
> useful for someone here. README.md pasted below.
>
> https://github.com/rustybird/qubes-split-dm-crypt
>
> Rusty
>
this in the future:
https://github.com/QubesOS/qubes-doc/commit/1448c1e7ab8ba17c7a9b9fdd53fcdefb0f1b329b
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iybOD9yYjJepUSpRJKxKDHnow6ETeBqgz8o0TdHIgfoTESjl12cPYI7mstVZo7oD
W33fq6RzzGgjLtCuejCr92KYJwJiDffoGSFAIeZsAfKEqTbXKoDJ+pjO31ScAqu9
cEspODkJp6IAcYvEe5fF2s8W+3WyE/p6Z+qXcRuFtu5/Wg8NIREbPlU0Z9CZHND5
TwUJb3gqvX3DajIpZm/JwBtKbst7M3ky3TVWdLLZZw9oUvAluqOnlHC4SjO00z1T
p2/KawXs+9BwHz5FTwJ1LLKcKu/0c+V23yrMU6hwwDFBbdknoJtQJBkqiS6fT/2d
Pm0F1eLra/nlI2mb0z6H1wGY71I6kWMNeKoKcNYdosGmjBIAFcsn8MrmIWF9/GY9
NLxjNi2qI2f0VE6Z+s5bnWK3FeoViCHRufMjeFpFcy2hb7lUT+wvrkhyV5Amti/S
GBif4jBAihiUT/EwZnD9AQd3s2MQLhmwjG+SwZENpJ2Y2AAyIgMEBcSz3Vtz72Yk
FvdcH8EfgF7RclbgvEmL5PX2MhmIZc8ifWUIeXkprPVCFFU4zCcQsZd5UVkHAfTS
RxaqKJXqFvu0VPr+evuCfQqcezvWlG6bQLFubZukWz0B8zj+XwV8RFvu+BWsyJrP
yJXB8cuCfMFJXJTsGtFy
=xPVu
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages