I've added Qubes OS Version 3's backup encryption to my online password cracking service, CrackStation. It was possible to do this because Qubes' backup encryption does not correctly salt the backup encryption password.
To crack a Qubes OS backup password, follow the first steps of these
extract the contents of the backup. Copy and paste the contents of
backup-header.hmac into the form on CrackStation's homepage. If the password
is in CrackStation's dictionary, and the Qubes user used the default backup
settings, it will find the password in its lookup table, and return it to you.
The Qubes team is actively working on a fix to this problem in this GitHub issue. If you have cryptography experience, and you want to help Qubes fix this problem, please go read the comments on that issue and lend them a helping hand!
The contents of
backup-header.hmac is the output of the command
-sha512 -hmac '<the password>' backup-header. This computes the HMAC-SHA512 of
the contents of the
backup-header file using the password as the HMAC key. By
default, the contents of
There's no salt involved in the computation of this HMAC, so if the user has
left the Qubes backup settings as their defaults, the HMAC of this file will
have been computed in exactly the same way as the HMACs in CrackStation's hash
database. That's why a simple binary search lookup of the hash in the database
can quickly reverse the hash into its corresponding password.