Hiyas, I want to suggest some features for cryptsetup-luks, which I miss a lot. To begin, I miss a possibility to delete a key from keyslots by providing it, e.g. when a device is encrypted in the following way: Key Slot : key 0 : foo 1 : bar 2 : foobar 3 : foo I would like to disable key slots 0 and 3 by only providing the key "foo" but without knowing which keyslot the key's are in, e.g. # cryptsetup luksDelKey /dev/mapper/encrypted --by-key Enter LUKS passphrase: foo Deleted Key Slots: 0, 3 so after this only Key Slot 2 and 3 are enabled. In are similiar way it would be nice to enable only one Keyslot that has the provided Key, e.g. # cryptsetup luksUniqueKey /dev/mapper/encrypted Enter LUKS passphrase: foo Deleted Key Slots: 1,2,3 This possibilities would it make a lot easier to delete unwanted keys. Another feature I would find really usefull would be support for wiping / reinstating the key with dmsetup in luks as described in <20060814164431.GR18633@xxxxxxxxxxxxxxxxxxxxx> This would be very usefull for a more secure suspend to ram on notebooks without the need to unmount the encrypted partitions. I guess a command like # cryptsetup luksReopen encrypted-open Enter LUKS passprase: foo Successfully reopended encrypted-open A little enhancement would be to make this possible for several devices at once with cryptsetup asking for passwords as long as not all devices have been reopenend successfully. It would be even nice to have this possibility for the luksOpen command, so that once can open several devices at once, e.g. # cryptsetup luksOpen encrypted1 encrypted1-open enc2 enc2-open enc3 enc3-open Enter LUKS passphrase: foo Successfully mapped encrypted1 to encrypted1-open Enter LUKS pasphrase: bar Successfully mapped enc2 to enc2-open Successfully mapped enc3 to enc3-open that would perform "dmsetup message encrypted-open 0 key set <key>" with the gained Masterkey. Also it would be nice to have a possibility to get the key slot(s) that are used for a special key, e.g. # cryptsetup luksGetSlots /dev/mapper/encrypted Enter LUKS passphrase: foo Key Slot: 0 Key Slot: 3 Maybe with a "--quiet" option, that only displays the number of the key-slots. A last, nice to have feature, would be a way to delete all keys at once, e.g # cryptsetup luksClearKeys /dev/mapper/encrypted Warning: You will not be able to access any data on /dev/mapper/encrypted anymore, type uppercase yes to proceed: YES All keys deleted. This could also overwrite any other data, that may help in restoring the MasterKey. This is usefull in cases where the encrypted data is not needed anymore there is no need in completely overwrite the data on the device. Please give me some feedback, whether or not you like my improvement suggestions and whether or not you would implement them. I would like to provide some patches very much, but since I am not that familiar with c, it could take some time. And thank you very much for luks so far, it made encryption in Linux a lot more easier, Regards, Till --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
