On 3/31/20 10:49 AM, Ondrej Kozina wrote:
Since the unbound feature does the encryption: is it compatible with a smart card (PGP/GPG)?
sudo cryptsetup luksAddKey --unbound --master-key-file ../lukstest/publickey.pem /dev/sdb --key-size 512 ../lukstest/privatekey
No, that's not how unbound keys work. With this command in particular
you'd add new unbound keyslot where content would be first 64 bytes of
publickey.pem file. Passphrase for that unbound keyslot would be
privatekey file content.
To make the example and explanation more complete: You can store secret
in unbound keyslot. So technically you may use LUKS2 unbound keyslot as
a safe storage for any secret, even one completely unrelated to
cryptsetup/LUKS or disk encryption at all. Unfortunately we don't
provide unbound keyslot dump into file from CLI (you may create issue on
gitlab for it). Although it's possible to do it using libcryptsetup API:
If interested, see:
- crypt_keyslot_add_by_key(), you'll need CRYPT_VOLUME_KEY_NO_SEGMENT
flag to create unbound keyslot
- crypt_volume_key_get(), you'll have to ask for specific 'keyslot' id,
of unbound keyslot created by previous crypt_keyslot_add_by_key.
- crypt_keyslot_status() to find what keyslot is actually unbound
I'm not sure this is most practical use for LUKS2 unbound keyslot, but
who knows:)
Regards O.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt