I believe his point is that if he creates a linux installation inside a VMWare vm, and luksFormats the drive image from within the image, then once he has installed everything on that image, that when he is done and now wishes to send that vmware image to others, they will all have the same key. Even if they change their passphrase, that is just encrypting the same key differently. Then anyone person can decrpt anyone else's image, as the keys are all the same. He does not need the other persons passphrase to decode the key passed to the cypher, as his vmware image, he knows the key to, and has the same underlying key that is passed to the cypher. I am guessing the answer is no, that luks/cryptsetup/dmsetup does not support switching the key used by the cypher. There are probably no tools to do this. What you could do is have your startup scripts in the image, on bootup, create a new filesystem on top of a newly luksFormatted image, and then copy everything to there. Sam > At Wed, 19 Aug 2009 16:54:24 +0200, > > octane indice wrote: > > But every people I give the appliance will have the crypto key which > > crypt and decrypt data. So, as a security point of view, it's not > > acceptable. > > I'm not shure at all if I understand correctly what you have in mind, but > to unlock a LUKS/dmcrypt partition, you have to provide the correct > passphrase/keyfile. If you do not, there is no way other than bruteforcing > it or an attack towards the encryption itself. The master key itself stays > fully encrypted. > > You can read more here: > http://cryptsetup.googlecode.com/svn-history/r42/wiki/LUKS-standard/on-disk > -format.pdf > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
