geli(8) and replay attack

K

kdemidofff

Is it possible to implement protection against replay attacks? How can it be implemented, e.g. maybe rolling one-time keys or somehow force re-encrypt data (maybe destroying and recreating raid)?

The idea is to keep physical encrypted data changing every time, e.g. each day or several hours rotation (alternative: each 15 minutes).

Are there solutions already in Linux sector?

Thanks!
 
Maybe...THIS IS UNCERTAIN, JUST AN IDEA...
Code: 
geli setkey $prov # The partition is randomized already...or ought be
This forces a new password, if that be desired. Other than that, I am not sure. Maybe use geli partitions to be gbde partitions. Kind of like gbde-on-geli. On Linux LVM-encrypted-on-encrypted, you would have to use cryptsetup to open the crypt volume, then use LVM to set up the volumes, then use cryptsetup AGAIN to open the crypt volume and use the system. Fedora allows for that (but it makes the password universal). Just a thought. Hope this helps.
 
Could you be more specific about 'replay attack' in storage context, it's not clear what you are trying to accomplish.

One time keys are supported by geli: geli onetime, but you would need to recreate and mount filesystem on device.
geli doesn't re-encrypt data on key change.

Another possible option is to use stacked crypto filesystem, i.e. encrypted filesystem mounted on top of existing filesystem.

PEFS supports multiple keys and per-directory default key:
http://wiki.freebsd.org/PEFS
https://github.com/glk/pefs

Example setup:
Code: 
# pefs mount /private /private
# pefs addkey
/private/current -- current data snapshot
# mkdir /private/NEW
# pefs addkey -- new key
# pefs setkey /private/NEW -- enter new key
# cp -r /private/current/ /private/NEW/
# rm /private/current; ln -s /private/NEW /private/current; rm -r /private/OLD
 
Compile Linux crypto for FreeBSD...specify one-time, but geli holds ultimate password. In Linux, swap is re-formatted. Hope this helps
 
to create vulnerability in crypto we just need universal time key that after editing be the same so we just need to air condition some variables regularly like cleaning water, wallpapers, tv screens etc
operator new like water spray is effective measure against uninitailized stuff etc
what about kernel space? does it have programmatic air conditioned each day or so? i saw some dusty stores inside kernel memory management code, but i dunno who cares about it
 
You must log in or register to reply here.
Back
Top