Is it possible to add a key to an open luks volume whithout providing a current key?
Solution 1:
Yes, like this:
cryptsetup luksAddKey <DEVICE> --master-key-file <(dmsetup table --showkey /dev/mapper/<MAP> | awk '{print$5}' | xxd -r -p)
Substitute <DEVICE>
with the block device containing the LUKS partition (such as /dev/sda1
) and <MAP>
with the name of the mapping (such as sda1_crypt
).
Source: https://access.redhat.com/solutions/1543373
Solution 2:
No, not sanely — but an adversary could.
The cryptsetup
tool operates on the encrypted volume itself, whether it is currently open or not. It needs to retrieve the volume key out of the volume; for that, it needs a way to decode one of the existing keyslots (passphrase or keyfile), or else you need to pass it the bare volume key (which you would not nearly keep lying around).
If the volume is mounted, then the kernel has the volume key in memory. But unsurprisingly, it does not provide an interface to retrieve it.
You can write and load a kernel module that retrieves the volume key (I think you'll have to jump through hoops, but from a security perspective that's trivial), unless module loading is disabled or authenticated. You can retrieve the key from a memory dump via /dev/kmem
, unless that's disabled (I expect that there are off-the-shelf forensics tools for this, though I can't name any). I think that's it.