← Back to team overview

ecryptfs-users team mailing list archive

  1. ecryptfs-users team
  2. Mailing list archive
  3. Message #00032

Re: Migrating from LUKS?

  Thread PreviousDate PreviousThread Next 
David

As Dustin stated, there are few known and publicised 'audits' of eCryptfs.
That's not to say they have not been done.  

However, I am one of the first that I know of who's written an academic
paper on it in the UK. I have literally just submitted my final year MS(c)
Thesis to the University here in England - it was basically about the
digital forensic implications of eCryptfs for digital investigators. It's
not for general circulation though unfortunately. 

It's worth me stating that I am by no means a smart guy - fairly average,
so my findings could well be flawed or incomplete. Though my experiments
opened up a whole new world of potential new areas of research, I did not
find a way to 'simply' bypass eCryptfs. There is nothing over and above
what Dustin has stated in his blogs and press interviews such as potential
swap partition caching, weak login passwords etc. If you choose a good
login password, it's as tough as old boots! Have you ever read about the
creation and exchange of the FEKEK, FEK, EFEK and FNEK's, use of salt, etc?
It's enough to send you mad! Creating flow charts about it sent me insane!

With the right kit, experience, knowledge and (most significantly)
physical access to both the machine and the wrapped-passphrase file where
eCryptfs is running, recovery of encrypted data may be possible. I
demonstrated how, using standard login passwords (such as the name of a
city), and a fairly powerful computer with fairly good password recvoery
software and techniques, access could be gained in a hour or so. I also
demonstrated how, with physcial access, a certain hardware vulnerability
could be exploited and used to potentially pull out the login password from
memory, no matter how long or complex it is. None of this is new news
though. Dustin has said as much himself. Without physical access to the
machine or if a very good login password is chosen, it seems largely
impossible to bypass eCryptfs encryption to me. 

That said, my research has now put eCryptfs 'on the map', so to speak, in
the digital forensic world here in the UK. Several practitioners have now
got their eye on it. Like anything new, everyone now wants to have a play!
Thats a good thing for eCryptfs in my view as I can report back findings.  

Ted
  Thread PreviousDate PreviousThread Next