caam-keygen supports generating a black key from plaintext. Is it possible to:
1. decrypting data from one device on another if the keys were generated with the same plaintext? (OTPMKs are different)
2. using this plaintext as a key for dmsetup and preparing an image, for example, on a host machine, and later mounting the image on a device using a black key generated with the same plaintext?
In other words, is plaintext interpreted as a symmetric key and used for encryption/decryption? Or is it just some modifier that allows generating black keys similarly on the same/different devices?
Thanks
Solved! Go to Solution.
Thank you for your answer. My question was mostly about using a key for encrypting something on one host/board and decrypting it on another, which has that key as a black key.
Some experiments showed it's possible. I just put some notes here. It could be helpful in the future.
Preparing key & encrypted partition on a host
#!/bin/bash
LOOPDEV=/dev/loop0
DMPART=/dev/mapper/encrypted-tmp
KEY="782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A"
MNTDIR=/tmp/mnt
# Create raw file
dd if=/dev/zero of=./data.img bs=1M count=16
# Mount the raw file and create FS on it
sudo losetup $LOOPDEV ./data.img
sudo dmsetup -v create encrypted-tmp --table "0 16384 crypt capi:ecb(aes) $KEY 0 $LOOPDEV 0 1 sector_size:512"
sudo mkfs.ext4 $DMPART
sync
mkdir -p $MNTDIR
sudo mount $DMPART $MNTDIR
# Mark
sudo touch $MNTDIR/crypto-shripto
# Sync & unmount
sync
sudo umount $DMPART
sudo dmsetup remove encrypted-tmp
sudo losetup -d $LOOPDEV
# Export key in caam-keygen format
echo $KEY | xxd -r -p > caam.key.txt
# data.img & caam.key.txt are ready for export on a board
Creating BB key from the key & mounting encrypted partition on a device
#!/bin/bash
# it's differs from default caam-keygen
KEYSTORAGE=/run/caam/keys/
LOOPDEV=/dev/loop5
MNTDIR=/tmp/mnt/
DMDEV=/dev/mapper/encrypted
KEYNAME=mountkey
# create black key
caam-keygen create $KEYNAME ecb -t $(cat caam.key.txt)
# import black key to keyctl
cat $KEYSTORAGE/$KEYNAME | keyctl padd logon $KEYNAME: @s
mkdir -p /tmp/mnt
losetup $LOOPDEV data.img
dmsetup -v create encrypted --table "0 $(blockdev --getsz $LOOPDEV) crypt capi:tk(ecb(aes)) :52:logon:$KEYNAME: 0 $LOOPDEV 0 1 sector_size:512"
mount $DMDEV $MNTDIR
ls -l $MNTDIR
Hello @Alexander_iv ,
I hope you are doing well.
Q)is plaintext interpreted as a symmetric key and used for encryption/decryption?
->It makes an encryption key out of plain text or data.
$ ./caam-keygen
create <key_name> <key_enc> <key_mode> <key_val>
Where using key mode we can generate a black key from a plaintext given in the next argument or generate a black key from random with the size given in the next argument.
I have mentioned the example for the reference as well.
->To generate a random black key encrypted with CCM from a plaintext of 24 bytes:
./caam-keygen create randomkeyCCM ccm -s 24
Please refer to this doc for in-depth details.
https://community.nxp.com/
I hope this information helps you.
Thanks & Regards,
Sanket Parekh
Thank you for your answer. My question was mostly about using a key for encrypting something on one host/board and decrypting it on another, which has that key as a black key.
Some experiments showed it's possible. I just put some notes here. It could be helpful in the future.
Preparing key & encrypted partition on a host
#!/bin/bash
LOOPDEV=/dev/loop0
DMPART=/dev/mapper/encrypted-tmp
KEY="782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A"
MNTDIR=/tmp/mnt
# Create raw file
dd if=/dev/zero of=./data.img bs=1M count=16
# Mount the raw file and create FS on it
sudo losetup $LOOPDEV ./data.img
sudo dmsetup -v create encrypted-tmp --table "0 16384 crypt capi:ecb(aes) $KEY 0 $LOOPDEV 0 1 sector_size:512"
sudo mkfs.ext4 $DMPART
sync
mkdir -p $MNTDIR
sudo mount $DMPART $MNTDIR
# Mark
sudo touch $MNTDIR/crypto-shripto
# Sync & unmount
sync
sudo umount $DMPART
sudo dmsetup remove encrypted-tmp
sudo losetup -d $LOOPDEV
# Export key in caam-keygen format
echo $KEY | xxd -r -p > caam.key.txt
# data.img & caam.key.txt are ready for export on a board
Creating BB key from the key & mounting encrypted partition on a device
#!/bin/bash
# it's differs from default caam-keygen
KEYSTORAGE=/run/caam/keys/
LOOPDEV=/dev/loop5
MNTDIR=/tmp/mnt/
DMDEV=/dev/mapper/encrypted
KEYNAME=mountkey
# create black key
caam-keygen create $KEYNAME ecb -t $(cat caam.key.txt)
# import black key to keyctl
cat $KEYSTORAGE/$KEYNAME | keyctl padd logon $KEYNAME: @s
mkdir -p /tmp/mnt
losetup $LOOPDEV data.img
dmsetup -v create encrypted --table "0 $(blockdev --getsz $LOOPDEV) crypt capi:tk(ecb(aes)) :52:logon:$KEYNAME: 0 $LOOPDEV 0 1 sector_size:512"
mount $DMDEV $MNTDIR
ls -l $MNTDIR
Hello @Alexander_iv ,
Thanks for sharing it.
It'd be really helpful for the others to get a reference from it.
Thanks & Regards,
Sanket Parekh