I seem to remember that PGP/GPG also allows you to encrypt for multiple recipients. i.e. multiple keys. Arno On Fri, Oct 31, 2008 at 09:20:21PM +0000, Struan Bartlett wrote: > > Hi, > > I've been using cryptsetup/luks to manage encrypted LVM partitions for a > while now and must say it's very impressive. > > The reason for my email is that I've been looking for an encryption > system for a slightly different purpose though: encrypting individual > files for storage to Amazon S3. I realise Amazon S3 naturally encrypts > all stored data but the keys are generated by Amazon, so that isn't > really satisfactory. Stored data is not hidden from Amazon staff or > whosoever obliges Amazon to release their keys. > > Obviously there's lots of tools for encrypting individual files, but > what luks (uniquely?) offers is the ability to assign multiple passwords > and change passwords easily when the need arises. If - to use luks > terminology - one could split the luks header/key-slots from the bulk > data and store them separately, this facility would be especially > valuable for encrypting Amazon S3 files. This is because it would allow > passwords to be modified without having to retrieve and restore the bulk > data file, only the changed header/key-slots file. This is especially > important with S3 as Amazon only allows entire files to be uploaded or > downloaded, and bandwidth is charged for. If a file is large, or if > there are lots of files, downloading, re-encrypting and uploading each > can be very expensive. > > I've been looking at using luks for this purpose, using the following > approach: > > # dd if=/dev/zero of=file.luks bs=1 count=<filesize> > # losetup /dev/loop0 file.luks > # cryptsetup luksFormat /dev/loop0 > # cryptsetup luksOpen /dev/loop0 myfilemap > # dd if=<file> of=/dev/mapper/myfilemap > # cryptsetup luksClose myfilemap > # losetup -d /dev/loop0 > # dd if=file.luks of=file.luks.header bs=512 count=1032 > # dd if=file.luks of=file.luks.data bs=512 skip=1032 > > Finally, file.luks.header and file.luks.data can be uploaded to Amazon. > I also have tested that it is possible to modify passwords in the > file.luks.header directly e.g. > > # losetup /dev/loop0 file.luks.header > # cryptsetup luksDump /dev/loop0 > # cryptsetup luksAddKey /dev/loop0 > # cryptsetup luksDelKey /dev/loop0 <n> > # losetup -d /dev/loop0 > > And when the header and data files are subsequently concatenated, one > can regain access to the data. > > # cat file.luks.header file.luks.data >file.luks.new > > Does anyone have any opinions about the sanity of this approach? Is > there a better tool or approach I'm missing? I would be very grateful > for any feedback. > > Kind regards, > > Struan Bartlett > Head of IT > > -- > ____________________________________ > Struan Bartlett > NewsNow Publishing Limited > http://www.NewsNow.co.uk > Tel: +44 (0)845 838 8890 > Fax: +44 (0)834 838 8898 > ____________________________________ > Internet Press Cuttings & > Real-time News > > >Corporate press alerts > >Competitor awareness > >Market awareness > >Tailored news for web sites > >Intranet newsfeeds > ____________________________________ > > > > --------------------------------------------------------------------- > dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ > To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx > For additional commands, e-mail: dm-crypt-help@xxxxxxxx > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
