Arno, Michael,
Thank you for the information.
As a follow up. I will have a decrypted version of the master key
which I got via luksDump --dump-master-key. I checked the FAQ and cant
find something on how to overwrite a key slot with a good master key.
If I have this master key, what would be the process to replace the
passphrase in keyslot 0 with a new passphrase?
This is my process so far for backup in case of header corruption or
forgetting/changing passphrase:
1: Create a header backup:
Mount my encrypted USB drive
cd /mnt/encryptedUSB
cryptosetup luksHeaderBackup --header-backup-file
{hostname_partition_header}.bin /dev/xvdb1
2: Create a backup of the key:
cryptsetup luksDump --dump-master-key /dev/xvdb1 > {hostname_partition_dump}.txt
dmsetup table --target crypt --showkey /dev/mapper/encrypted >
{hostname_partition}.key
(this is going onto an hardware encrypted USB. I might replace this
with Arno's suggestion and stick this into a safe)
3: Create a Keepass file and store the passphrase at the time
{hostname_partition_header}.bin was taken.
Any suggestions, holes in this plan?
Thanks again.
On Wed, Mar 29, 2017 at 7:32 PM, Arno Wagner <arno@xxxxxxxxxxx> wrote:
> On Wed, Mar 29, 2017 at 15:42:03 CEST, Waqar Khan wrote:
>> Hi,
>> I have read through the FAQ and its got a lot of useful information
>> from the backup section.
>
> Thanks!
> [...]
>> Lastly, a few people have access to this machine (through the same
>> passphrase), some work colleagues, how can I protect against one
>> disgruntled member leaving the company and changing the passphrase
>> (then unmounting the volume for good measure) and not telling anyone?
>
> Simple: Have a header backup with a known passphrase and make sure
> that potentially disgruntled employee cannot kill that backup.
> Then you can just restore that header backup and use the known
> good passphrase in there. I would recommend using a passphrase
> for this that is used nowhere else and is the only passphrase
> in that header.
>
> Alternatively, you could write down or print the master key on
> paper and put that in a sealed envelope and that in a safe
> or bank lockbox. You should probably encrypt the master-key with
> PGP/GnuPG before and will still get something that still easily
> fits on paper and can be typed in with reasonable effort, but
> is less exposed than an unprotected master key and can be stored
> in a place where it is just not easily destroyed,
>
> Of course, you can also put a header-backup on paper, but that
> takes something like 50 pages or so if you just store the first
> keyslot.
>
> Regards,
> Arno
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx
> GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
>
> If it's in the news, don't worry about it. The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> http://www.saout.de/mailman/listinfo/dm-crypt
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
