On Wed, October 26, 2016 2:39 pm, Michael Kjörling wrote: > On 26 Oct 2016 10:43 -0600, from clemfoster@xxxxxxxxxxxxx (ClEmFoster): > >> The problem is they are going to start requiring that >> these machines also receive a passphrase change every 3 or 6 months. > > Not sure what threat model that is meant to protect against, but... Agreed, but I have no say in this requirement. > > > >> cryptsetup for luks requires an existing passphrase to add/change >> another. Physical interaction to change passphrase is not very realistic >> for 100+ machines. Ideally I would like to change the password via an >> automated system. > > Perhaps unless you are running an ancient cryptsetup, and assuming > that you really are working with LUKS (not plain dm-crypt), the manual page > explicitly states that the passphrases do not need to be provided > interactively: > > > luksChangeKey <device> [<new key file>] > > Changes an existing passphrase. The passphrase to be changed > must be supplied interactively or via --key-file. The new passphrase can be > supplied interactively or in a file given as positional argument. /.../ > <options> can be [--key-file, --keyfile-offset, --keyfile-size, > --new-keyfile-offset, --new-keyfile-size, --key-slot]. > > > That should be all you need. I did read that in the man page, but if you want a passphrase changed in that manor then you have to put the new and old passphrase in a file plain text. Unless I am missing something. I was hoping to fine some way to encrypt it before passing it in. like you can do with other applications. > > > -- > Michael Kjörling â?¢ https://michael.kjorling.se â?¢ michael@xxxxxxxxxxx > â??People who think they know everything really annoy those of us who know > we donâ??t.â?? (Bjarne Stroustrup) > _______________________________________________ > dm-crypt mailing list dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > > > Thanks Travis _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
