DM-crypt itself does not have such an option, but the following might be
possible:
Encrypt the actual luks key with gpg. You would need the gpg passphrase
(or key for that mattter) to obtain the 'unencrypted' luks key, which in
turn is used to retrieve the actual luks masterkey stored in the volume.
Another way of looking at this: You need gpg and some key (or
passphrase), to obtain you luks passphrase.
Would that be feasible for you?
Regards
-Sven
Darren Grant schrieb:
Hi
Just discovered LUKS in CentOS and it looks like an ideal way to encrypt
a partition with my MySQL data files on.
I have a HP Proliant server with removable drives and thought that the
ideal situation would be to require 2 keys to unlock the partition. The
first would be either a passphrase or a keyfile on an external removable
USB key and the second would be a key file in flash memory that is
mounted securly internally in the machine. I know that LUKS supports
multiple key slots but is there a way to require 2 to be used ?
The thinking being that should someone steal the whole system they would
need the passphrase or external keyfile to access the drive but if they
remove a drive and manage to get hold of the passphrase or pick up a USB
key disk there would be no way of them using it as they would also need
the key that is safely secured inside the server. Essentially they would
need both an access key and the actual machine that the drive was
installed in.
Thanks
Darren
*
ADSL Nation Ltd.** **+44 (0) 1865 761114*
Registered in England & Wales, company number: 04457730.
Registered address: 29 Glebelands, Headington, Oxford, OX3 7EN.
------------------------------------------------------------------------
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
