Re: Off Disk LUKS Header

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Clayton Shepard wrote:

> 1.  According to http://www.saout.de/tikiwiki/tiki-index.php?page=LUKSFaq
> it seems like it should be easy for a user who has legitimate access (ie
> his own password) to the LUKS device to backup the header, that way, when
> his key is revoked he can simply put the old header back to regain access.
> Wouldn't that defeat the whole purpose of key management / password
> revocation?  How do you avoid this?

If a user only knows the passphrase of a luks encrypted device, but does not
have root priviledges[1], then key management is still possible. One way to
achieve is is for example using a wrapper around cryptsetup to only allow
luksOpen and luksClose, e.g. via sudo.

> create this system right now.  Is there a way to use the luksFormat to
> output the header to a file or something?  (Is this what the --key-file is
> for?  It kind of seems like this uses a pre-existing key, and does not

The --key-file is used to use a file instead of manually entered text as
the "passphrase".

> create a new header...)  In other words I would like to call luksFormat,
> but rather than prepend the header to the beginnning of the device it puts
> it
> somewhere user specified (preferably piped through gpg).  Then I can

The only "simple" solution that comes to my mind for some of this would be
to use dmsetup to create a virtual device, where the first X bytes that
contain the luks header are mapped to another location, e.g. on a loopback
device with a file on a usb stick, and the remaining data mapped to the
disk. But I do not know, how you could add gpg to this setup. Also I do not
know the right commandline to do this with dmsetup.


[1] To be more precise: The user must not have access to the encrypted data
and the output of "dmsetup table" and other data sources, e.g. the contents
of the memory.

Regards,
Till


---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux