Hi Suresh, no, that does not exist. As cryptsetup is callad as root, such a restriction would not make much sense anyways. Via sudo, you could completely forbid cryptsetup and only allow the commands you want wia scripts. You would habe to lock down the rest of the system pretty tightly though for that to work. Why not tell your employes to stay away from, say, slot 8 and keep a header backup just in case? If you do not trust your employees, you have lost anyways. Regards, Arno On Thu, May 03, 2018 at 04:01:29 CEST, Suresh Govindachar wrote: > Hello, > > My understanding is that LUKS supports 8 passphrases and that knowing any > one of them allows one to operate on the LUKS header, for example, to change > the passphrases in all the slots, to copy the exposed header etc. Is it > possible to restrict the rights of a particular slot, say, slot 8, to only > getting read/write access to the data and no access to the LUKS header? If > such were the case, an IT department could deploy laptops to employees with > the employees' passphrase occupying the special slot. > > If such a feature does not exist what commands would need to be removed from > the employees' sudo rights to achieve the same end? > > Thanks, > > --Suresh > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
