Hi John,
> Let's say, for instance, that I'm setting up an encrypted home directory
> for user "john." I set it up initially with john's login password with
> the eventual intention of using pam_mount with john's login password.
> But, I want to add root's password as well, just in case. What do I do
> for this password to "exist" somewhere so I can attach it to this
partition?
Luks partitions store the encrypted encryption key using the user's
passphrases.
Hence, if you know one valid passphrase, you can retrieve the encryption key
and access all of the partition.
To add *a second* passphrase to that partition, the partion's encryption key
has to be encrypted with that second passphrase and then stored.
For that to work, you'll have to know an existing passphrase so that the
encryption key can be retrieved, and then - as stated - be re-encrypted and
stored with the second, new passphrase.
addKey asks you two times for passphrases:
1. an exisiting passphrase to retrieve the partition encryption key, and
2. a new passphrase, to which the partition key is encrypted and stored.
Please pay attention to the fact that any user that knows a valid passphrase
may retrieve the partition encryption key, so removing a passphrase is *no*
means of revoking somebody's access!
(If that's the case, the complete partition must be re-encrypted with a new
key).
HTH,
-hannes
--
"Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail
---------------------------------------------------------------------
- http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
