ZFS What is the relavance of the "passphase" (to create/generate the "master key") for ZFS encryption when it (the "passphrase") can be changed later?

[ikevin8me]

When we encrypt the ZFS disk (whole volume), we need to enter a "passphrase". However, a "master key" is created to encrypt the data. The "passphrase" is the key to unlock the "master key". So, we can change the "passphrase" later and the "master key" remains the same but will be secured by the new "passphrase"; and the encrypted data remains the same because it is encrypted by the same "master key".

So, this leaves me wondering...

First, to be clear: changing the "passphrase" does not change the "master key", and thus will not re-encrypt the data.

It seems that the "passhrase" is not used and not even relavant to the generated of the "master key" to encrypt the data.... is this correct?

And if that is correct... how is the "master key" generated/created?

Could anyone please clarify this?

 

[zirias@]

how is the "master key" generated/created?

(Note this isn't specific to ZFS at all) ... randomly!

For that to be secure, you need a cryptographically strong random number generator, e.g. on FreeBSD random(4).

There are algorithms to derive data from passphrases that should provide similar security. But if you'd use that directly, there would be no sane way to ever change the passphrase.

edit, btw, for these "key derivation" algorithms, you still need supplementary random data.

 

[Ordoban]

Without knowing the specific ZFS encryption, I would assume that the master key is stored encrypted by the password on the hard drive.
To decrypt the hard disk, the encrypted master key is read from the disk, decrypted with the password, and then used to decrypt the data.
Changing the password only requires reading the encrypted master key, decrypting it with the old password, encrypting it with the new password and then rewriting it.
Edit: The master key is a total random number, created once while volume initialisation.

 

[Alain De Vos]

What is the relevance of a user password when you need to know the old user password in order to change it to a new user password ?

 

[sko]

I would assume that the master key is stored encrypted by the password on the hard drive

Not encrypted, 'only' protected by the password. Same principle as e.g. with GPG-Keys which are password protected.
The password serves as a second factor, so if the (private in case of GPG) key is leaked, it is still useless without knowing the password.

To use or change one part (key or password) you always need the second - If you gain knowledge that one of the two has been leaked, you can replace it before someone might have knowledge of both parts. In case of GPG you can sign the new key with your old one before revoking it, hence retaining a valid chain of trust. (yes, changing the key always has much broader implications than changing the password; hence you should always keep a private key "pivate" as the name implies)

 

[Ordoban]

What is the relevance of a user password when you need to know the old user password in order to change it to a new user password ?

Encryption would be useless if nothing is required to change the pass/key to a valid one.

 

[Ordoban]

Not encrypted, 'only' protected by the password. Same principle as e.g. with GPG-Keys which are password protected.

What is that 'protection' other than encryption? I would even an XOR count as encryption in that case.
Or do you think the decryption program just refuses to decrypt because the entered password does not match a stored one? That would be very weak.

 

[zirias@]

What is that 'protection' other than encryption? I would even an XOR count as encryption in that case.

Exactly. BTW, didn't look at ZFS encryption, still I'm pretty sure it does use some KDF to store the encrypted master key. geli(8) definitely does.

 

[sko]

What is that 'protection' other than encryption? I would even an XOR count as encryption in that case.
Or do you think the decryption program just refuses to decrypt because the entered password does not match a stored one? That would be very weak.

True, I haven't thought about it that way. I was only referring to how it works at the user end - i.e. without the password you cant 'use' the key. But yes, it might be just something like that behind the curtains.

 

[zirias@]

sko I guess I can clarify that further – again not talking about ZFS encryption specifically cause I never used it, but other systems work that way:

You can optionally have both a key and a passphrase. Then it's like you described, you need both of them to decrypt the device/volume. But in that case, the key is still not the master key. Instead, the master key is encrypted with the combination of both, the passphrase and the ("user") key.

Having a separate master key is done exactly for the reason to be able to change credentials without re-encrypting everything, there's never a need to change the master key.

 

[Alexey V. Gubin]

It seems that the "passhrase" is not used and not even relavant to the generated of the "master key" to encrypt the data.... is this correct?

And if that is correct... how is the "master key" generated/created?

Yes, the passphrase is not relevant to the generation of the master key.

The master key is randomly generated when the dataset is created.

The passphrase is used to produce the user key. Master key is then encrypted with the user key and saved to disk. The master key is never stored in plain, so you must provide the passphrase at the time master key is generated. Otherwise will not be able to save the master key to disk.

 

[rawthey]

What is the relevance of a user password when you need to know the old user password in order to change it to a new user password ?

If you could change the password without supplying the old one then anyone could do that and get access to your data and deny you access. If you suspect someone has discovered your password you would want to change it before they get the chance to do that.