Am Freitag, 28. April 2006 07:58 schrieb ext John Norvell: > Dirk Heinrichs wrote: > > louisa ~ # cryptsetup luksFormat -c aes-cbc-essiv:sha256 /dev/evms/test > > > > WARNING! > > ======== > > This will overwrite data on /dev/evms/test irrevocably. > > > > Are you sure? (Type uppercase yes): YES > > Enter LUKS passphrase: > > Verify passphrase: > > Command successful. > > louisa ~ # dd if=/dev/urandom of=/etc/crypt/keyfile count=1 > > 1+0 records in > > 1+0 records out > > 512 bytes (512 B) copied, 0.000189 seconds, 2.7 MB/s > > louisa ~ # cryptsetup luksAddKey /dev/evms/test /etc/crypt/keyfile > > Enter any LUKS passphrase: > > Verify passphrase: > > key slot 0 unlocked. > > Command successful. > > Thanks for the reply. I understand down to this point. What I don't > understand is the next two steps, with the -d option. How does this > enable slot 2 with a passphrase and why use the keyfile again? In the step above, I enabled slot 1, but used a keyfile instead of a passphrase. > I also don't understand, above, how the keyfile gets encrypted. I didn't encrypt it at all. You could do so, using GPG, but then you'd need a passphrase again (for GPG, not for LUKS). My setup, on a laptop, is such that I have encrypted all logical volumes. The one that is mounted to / is protected with a passphrase, and I am prompted for it at boot time (using an initrd). Once this is mounted, I can use a single keyfile, stored on this volume to unlock all the other volumes, without being prompted for a passphrase again and again. > > louisa ~ # cryptsetup -d /etc/crypt/keyfile luksOpen /dev/evms/test > > c-test key slot 1 unlocked. > > Command successful. > > louisa ~ # cryptsetup -d /etc/crypt/keyfile luksAddKey /dev/evms/test > > key slot 1 unlocked. > > Enter new passphrase for key slot: > > Verify passphrase: > > Command successful. In those two commands, the keyfile given after -d _is_ the passphrase (luksOpen/luksAddKey does not prompt for one). The passphrase that is prompted for is the one for the _new_ key. As I wrote before, you need to unlock one key slot to do any actions with LUKS. I could have omitted "-d /etc/crypt/keyfile" completely, but then LUKS would have prompted for a passphrase (which would have unlocked key slot 0, instead of slot 1). Bye... Dirk -- Dirk Heinrichs | Tel: +49 (0)162 234 3408 Configuration Manager | Fax: +49 (0)211 47068 111 Capgemini Deutschland | Mail: dirk.heinrichs@xxxxxxxxxxxxx Hambornerstraße 55 | Web: http://www.capgemini.com D-40472 Düsseldorf | ICQ#: 110037733 GPG Public Key C2E467BB | Keyserver: www.keyserver.net
Attachment:
pgpMMuKbJUHvw.pgp
Description: PGP signature
