Last Updated on 27/01/2022 by Nidhi Khandelwal
In life, there are three things you can count on: death, taxes, and new CVEs. The inevitable has happened for CentOS 8 users, and it didn’t take long. Something spectacularly failed just two weeks after the announced end of life, putting CentOS 8 users at the risk of a severe attack — and with no help from CentOS.
You’d assume that by now, corporations would have moved away from CentOS 8 to an OS that is actively supported by suppliers, and that this issue would no longer affect a substantial number of firms. Vendor support is, after all, crucial for security and compliance.
So, what exactly is LUKS? LUKS (Linux Unified Key Setup) is a method used in Linux-based systems to provide full disc encryption, among other things. Many “best practise” guidelines promote it as a critical system hardening option for security-conscious IT companies.
Having a completely encrypted disc (or “block device” in Linux “speak) assures that data is safe from prying eyes even when it is not in use.
TPM can be used to further enhance security by connecting a certain block device to a specific machine (Trusted Platform Module). This increases the difficulty for an attacker in physically extracting encrypted data from a machine and plugging it into a high-performance device in order to brute-force access to the data. Though, as always, the likelihood of success is dependent on computational capability, encryption scheme choice, and pure luck.
The ability to modify the key used to encrypt a device on the fly is a crucial feature of LUKS. This would be done, for example, in high-security workplaces for planned key rotations.
The device remains operational during the key changing process thanks to this on-the-fly re-encryption capability. It’s known as “online re-encryption,” and it refers to the ability to re-encrypt a disc with a different key while it’s connected to the internet and in use.
During this process, a vulnerability was discovered. It turns out that if you know what you’re doing, you can carry out this procedure even if you don’t have access to the original, current password. You can request re-encryption even if you don’t have a password.
