On 26 Oct 2016 10:43 -0600, from clemfoster@xxxxxxxxxxxxx (ClEmFoster):
> The problem is they are going to start requiring that
> these machines also receive a passphrase change every 3 or 6 months.
Not sure what threat model that is meant to protect against, but...
> cryptsetup for luks requires an existing passphrase to add/change another.
> Physical interaction to change passphrase is not very realistic for 100+
> machines. Ideally I would like to change the password via an automated
> system.
Perhaps unless you are running an ancient cryptsetup, and assuming
that you really are working with LUKS (not plain dm-crypt), the manual
page explicitly states that the passphrases do not need to be provided
interactively:
luksChangeKey <device> [<new key file>]
Changes an existing passphrase. The passphrase to be changed
must be supplied interactively or via --key-file. The new
passphrase can be supplied interactively or in a file given as
positional argument.
/.../
<options> can be [--key-file, --keyfile-offset, --keyfile-size,
--new-keyfile-offset, --new-keyfile-size, --key-slot].
That should be all you need.
--
Michael Kjörling • https://michael.kjorling.se • michael@xxxxxxxxxxx
“People who think they know everything really annoy
those of us who know we don’t.” (Bjarne Stroustrup)
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
