Am Mittwoch, 26. April 2006 10:02 schrieb ext John Norvell: > Dirk Heinrichs wrote: > > This means you entered the wrong passphrase. Adding a new passphrase > > requires knowledge of an existing one. > > This is the critical ambiguity in all the cryptsetup documents (and the > error message): If I'm adding a NEW password, in what sense can it be an > existing one? Existing where? LUKS gives you 8 key slots. When you first create a mapping (via luksFormat) you put a key in key slot 0. When you later add more keys, you should provide either a passphrase or a keyfile corresponding to one of the key slots where a passphrase or key already exists. This is just the same as for luksOpen. You need to know one passphrase for one of the used key slots to either do luksOpen or luksAddKey. > Let's say, for instance, that I'm setting up an encrypted home directory > for user "john." I set it up initially with john's login password with > the eventual intention of using pam_mount with john's login password. > But, I want to add root's password as well, just in case. What do I do > for this password to "exist" somewhere so I can attach it to this > partition? See above: Do luksFormat, enter john's passphrase, this goes into key slot 0. Then do luksAddKey: You are first prompted for the passphrase of an existing key slot (to make sure you arte allowed to add another key), enter john's passphrase. Then you are prompted for the new passphrase, which goes into key slot 1. If you want to add another key, or just create the mapping with luksOpen, you can enter either john's or root's passphrase. HTH... Dirk -- Dirk Heinrichs | Tel: +49 (0)162 234 3408 Configuration Manager | Fax: +49 (0)211 47068 111 Capgemini Deutschland | Mail: dirk.heinrichs@xxxxxxxxxxxxx Hambornerstraße 55 | Web: http://www.capgemini.com D-40472 Düsseldorf | ICQ#: 110037733 GPG Public Key C2E467BB | Keyserver: www.keyserver.net
Attachment:
pgpgRzIvjzTTb.pgp
Description: PGP signature
