Dirk Heinrichs wrote: > LUKS gives you 8 key slots. When you first create a mapping (via luksFormat) > you put a key in key slot 0. When you later add more keys, you should > provide either a passphrase or a keyfile corresponding to one of the key > slots where a passphrase or key already exists. > > This is just the same as for luksOpen. You need to know one passphrase for > one of the used key slots to either do luksOpen or luksAddKey. > > >> Let's say, for instance, that I'm setting up an encrypted home directory >> for user "john." I set it up initially with john's login password with >> the eventual intention of using pam_mount with john's login password. >> But, I want to add root's password as well, just in case. What do I do >> for this password to "exist" somewhere so I can attach it to this >> partition? >> > > See above: Do luksFormat, enter john's passphrase, this goes into key slot > 0. > > Then do luksAddKey: You are first prompted for the passphrase of an existing > key slot (to make sure you arte allowed to add another key), enter john's > passphrase. Then you are prompted for the new passphrase, which goes into > key slot 1. > > If you want to add another key, or just create the mapping with luksOpen, > you can enter either john's or root's passphrase. So, let me see if understand. If I never supply any key file, the passwords are being attached to a key that is stored on the partition itself, generated by the luksFormat command? How, then, would I configure pam_mount to send the login password to mount a home directory encrypted this way? Pre luks, I used a line like this in pam_mount.conf: volume john crypt - /dev/sda8 /home/john loop,cipher=aes aes-256-cbc /home/john.key Cheers, John --------------------------------------------------------------------- - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
