Technical Details: FreeOTFE Volumes and Keyfiles
A FreeOTFE volume (regardless of whether its stored in a file or partition) consists of two things:
- A critical data block (CDB)
- An encrypted partition image
The CDB may either form part of the volume, in which case it is
prepended to the encrypted partition image, or it may be stored as a
separate file, in which case it is referred to as a "keyfile".
Users may create any number of keyfiles for any given volume. To create a new keyfile, the user must supply either:
- An existing keyfile, and its password, etc
- A volume file which has a CDB
together with its password, salt length, etc. The keyfile or volume
CDB supplied will then be read in, decrypted, and re-encrypted with a new
password, salt length, etc (all supplied by the user) before being written out as the new keyfile.
A full definition of the contents of a CDB/keyfile is supplied in this documentation.
Notes:
-
A FreeOTFE keyfile is nothing more than a CDB, the "volume
details block" of which contains the encryption details used for
securing the volume it relates to
-
A volume may have one or more keyfiles, in which case they all
share the same data stored within their respective "volume details
block", but each one is encrypted with a different user password, salt,
random padding, etc - making each keyfile unique.
-
Keyfiles are encrypted with the same cypher/hash that the encrypted partition image they relate to is encrypted with.
|