Re: Multiple Keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks Sven
Thanks for the suggestion that does seem plausible. There are obviously two ways I could do this put the GPG key on the server and luks keys on the USB stick or luks keys on the server and GPC on the server.
Seems for convenience a good idea to use GPG to create a keyfile that I could put on an external USB stick and then I can put any number of encrypted luks keys on the internal flash for various partitions without having to update every external USB key. It would also mean that the same USB key could be used on more than one machine if necessary. The downside of that is there would be no way of revoking one key as revoking the GPG key it would stop all USB keys from working and there would be no traceability as to who's key was used to access the server.
For maximum security it would seem the other way round would be better, put the GPG key on the server and the luks keys on the USB stick that way each stick can have a unique luks key making it easy to revoke that key if the USB stick is lost, copied or otherwise abused. The down side being each time a new partition is added with a new key file every USB key would need to be updated.
Any other pro's/cons people can think of for which way round would be best ?
Then just a case now of figuring out how to get GPG to decrypt the luks key during boot, at least my root partition is not encrypted so no problems there. Anyone already using this sort of set-up ? 

Thanks
Darren


On 23 Oct 2009, at 01:01, Sven Eschenberg wrote:
DM-crypt itself does not have such an option, but the following might be possible:
Encrypt the actual luks key with gpg. You would need the gpg passphrase (or key for that mattter) to obtain the 'unencrypted' luks key, which in turn is used to retrieve the actual luks masterkey stored in the volume.
Another way of looking at this: You need gpg and some key (or passphrase), to obtain you luks passphrase. 

Would that be feasible for you?

Regards

-Sven

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux