Lars Täuber <lars.taeuber@xxxxxxx> wrote:
> luksFindKeySlots
> With this option I could let the co-admin type in his key and see which slots it is. To be sure there is no other slot containing the same key cryptsetup should test all slots and return all numbers of slots that contain this key.
Well, apart from `cryptsetup luksOpen' is already telling you which key
slot has been unlocked...
Your approach is quite dangerous: when your co-admin was able to do a
`cryptsetup luksOpen', he was probably also able to do a `cryptsetup
luksAddKey' to add other keys you don't know about (and whose existence
he thus don't necessarily need to reveal to you).
So, from a luks point of view, the safe way for you would be to identify
your own key slot (luksOpen) and to kill all others (luksKillSlot,
luksDump tells you which slots are in use).
However, from a dm-crypt point of view, this is probably not safe as
well: Since your co-admin was able to luksOpen your devices, I guess
he was root. If he was, he could, of course, just reveal the master-keys
of your devices (dmsetup --showkeys table). Thus, he don't need luks at
all to open your devices ;)
regards
Mario
--
Und wie jede Sprache, so hat auch PHP ein Anwendungsgebiet, fuer das es
besonders gut geeignet ist. Soweit ich sehen kann, handelt es sich dabei
um das sogenannte "ins Knie schiessen".
-- Volker Birk, de.alt.sysadmin.recovery
---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
