use PBKDF2 for the LUKS2 keyslots #286
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The test was only implemented in the unmocked suite, but relies on mocking the call to luks2.Format in order to override the flag. This may as well just only be a mocked test.
chrisccoulson
force-pushed
the
switch-keyslots-to-pbkdf2
branch
from
31d7c3c to
1007950
Compare
chrisccoulson
force-pushed
the
switch-keyslots-to-pbkdf2
branch
from
1007950 to
95bfffd
Compare
We currently use a minimal Argon2i configuration for the main unlock keyslots and then Argon2i benchmarked to 2s by default for recovery keyslots. Note that the cryptsetup default now is Argon2id, but Argon2 is overkill in this context anyway. For the main unlock keyslots, hardcode a minimal PBKDF2 configuration. Also hardcode a PBKDF2 configuration for the recovery keyslots, but use 600,000 iterations which is the current OWASP recommendations for ordinary passphrases (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html). This is still overkill for a 128bit recovery key, and if we implement a 256bit recovery key then we could justify using a minimal configuration here as well. Note that systemd is using minimal PBKDF2 configurations for both normal and recovery keyslots. This simplifies the API by not requiring KDFs to be configured, and means that the configuration is suitable where FIPS140 compliance is required.
chrisccoulson
force-pushed
the
switch-keyslots-to-pbkdf2
branch
from
95bfffd to
c2431aa
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We currently use a minimal Argon2i configuration for the main unlock
keyslots and then Argon2i benchmarked to 2s by default for recovery
keyslots. Note that the cryptsetup default now is Argon2id, but Argon2
is overkill in this context anyway.
For the main unlock keyslots, hardcode a minimal PBKDF2 configuration.
Also hardcode a PBKDF2 configuration for the recovery keyslots, but
use 600,000 iterations which is the current OWASP recommendations for
ordinary passphrases
(https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).
This is still overkill for a 128bit recovery key, and if we implement a
256bit recovery key then we could justify using a minimal configuration
here as well. Note that systemd is using minimal PBKDF2 configurations
for both normal and recovery keyslots.
This simplifies the API by not requiring KDFs to be configured, and
means that the configuration is suitable where FIPS140 compliance is
required.