site
contact
newsPassword converted to 64-byte hash
I posted yesterday about fscrypt v2:
https://bkhome.org/news/202304/preliminary-support-for-fscrypt-v2.html
There is a security concern, as the password the user types in at
bootup is used to create the encrypted folders. Quoting from here:
https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html
Master keys must be real cryptographic keys, i.e.
indistinguishable from random bytestrings of the same length. This
implies that users must not directly use a password as a master key,
zero-pad a shorter key, or repeat a shorter key. Security cannot be
guaranteed if userspace makes any such error, as the cryptographic
proofs and analysis would no longer apply.
Instead, users should generate master keys either using a
cryptographically secure random number generator, or by using a KDF (Key
Derivation Function). The kernel does not do any key stretching;
therefore, if userspace derives the key from a low-entropy secret such
as a passphrase, it is critical that a KDF designed for this purpose be
used, such as scrypt, PBKDF2, or Argon2.
I have compiled the 'argon2' utility in OE, statically-linked with musl, for use in the initrd. Argon2 project:
https://github.com/p-h-c/phc-winner-argon2
Now, in the 'init' script in the initrd, there is this line:
PASSPHRASE="$(echo -n ${PW}xxxx | argon2 ${SALT} -l 32 -r)" #20230430 64 byte hash generated from password.
...I have named the variable "PASSPHRASE", but it is actually now a
64-byte hash. This is then used to add a key to the ext4 filesystem.
WoofQ commit:
https://github.com/bkauler/woofq/commit/306859c3dc6714306e113811feb2a2587fa649ca
Tags: easy