ecryptfs-add-passphrase hashing passphrase

Asked by Michael Moreton on 2019-01-03

Looking at the source for ecryptfs-add-passphrase, it is generating a signature for the passphrase by running SHA-512 a large number of times starting from the passphrase.

This signature is then passed to the kernel key ring as the "description" parameter, and is also passed into the mount command. From the description of this parameter it's just a unique name, it doesn't have any security value.

So why not just generate a random value for this description? Making it a derivative of the passphrase just sounds like it's adding another attack vector, however unlikely. And hashing it can take a significant time on an low power platform. Is there something else going on here?

Question information

English Edit question
Ubuntu ecryptfs-utils Edit question
No assignee Edit question
Last query:
Last reply:
Launchpad Janitor (janitor) said : #1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.