Re: Multiple Keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



DM-crypt itself does not have such an option, but the following might be possible:

Encrypt the actual luks key with gpg. You would need the gpg passphrase (or key for that mattter) to obtain the 'unencrypted' luks key, which in turn is used to retrieve the actual luks masterkey stored in the volume.

Another way of looking at this: You need gpg and some key (or passphrase), to obtain you luks passphrase.

Would that be feasible for you?

Regards

-Sven



Darren Grant schrieb:
Hi

Just discovered LUKS in CentOS and it looks like an ideal way to encrypt a partition with my MySQL data files on.

I have a HP Proliant server with removable drives and thought that the ideal situation would be to require 2 keys to unlock the partition. The first would be either a passphrase or a keyfile on an external removable USB key and the second would be a key file in flash memory that is mounted securly internally in the machine. I know that LUKS supports multiple key slots but is there a way to require 2 to be used ?

The thinking being that should someone steal the whole system they would need the passphrase or external keyfile to access the drive but if they remove a drive and manage to get hold of the passphrase or pick up a USB key disk there would be no way of them using it as they would also need the key that is safely secured inside the server. Essentially they would need both an access key and the actual machine that the drive was installed in.

Thanks
Darren
*
ADSL Nation Ltd.** **+44 (0) 1865 761114*
Registered in England & Wales, company number: 04457730.
Registered address: 29 Glebelands, Headington, Oxford, OX3 7EN.






------------------------------------------------------------------------

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt

[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux