In principle, any tool that can reasonably interface to a commandline interface can do this, see the FAQ and the man-page. On the other hand, password rotation is a dead-end, and makes the problem worse, see e.g. http://www.schneier.com/blog/archives/2010/11/changing_passwo.html http://transvasive.com/index.php?option=com_content&id=46 The basic problem is that password rotation prevents the use of good, harder to remember passwords, while at the same time it does noting to increae security. Once somebody halfway competent has broken in, they will put in their own backdoor anyways. In the few instances I am subject to this stupid measure, I have taken to just attach the number fo the month to the password. The one enterprise feature that is important is a recovery password. For LUKS, this could be enforced either by policy, or by an adjusted set-up tool. For example, you could mandate that keyslot 8 always needs to contain a company recovery password or that a long, random password has to be put into keyslot 8 and then stored in a sealed envelope in a safe. Arno On Thu, Mar 07, 2013 at 03:27:56PM -0500, Jeff Diehl wrote: > Is anyone aware of a product/tool that can manage LUKS credentials > at an enterprise level. More specifically, something that can deal > with things like password rotation. > > -- > JD > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
