Bruno Wolff III <bruno@xxxxxxxx> writes: > On Mon, Dec 08, 2008 at 14:10:58 +0530, > Huzaifa Sidhpurwala <huzaifas@xxxxxxxxxx> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Yep, >> I am wondering if i can have one slot filled by a passphrase and the >> second one by a key, do you know if that is possible? > > There is an encrypted copy of the disk key in each slot. The key for each > slot appears to be a string. It can be entered as a passphrass or a key > file. That much is clear from the cryptsetup documentation. You had > mentioned a public key system before, but I don't think that makes much > sense to use. The key file allows you to use keys with lots of entropy, but > the advantage to that is somewhat negated if the users will have passphrases > of their choosing that they use to get at the disks. The dm-crypt/LUKS model has a *single* key that actually does the underlying encryption/decryption. The passphrase entered by the user, unlocks access to the key so that encryption/decryption takes place. You can have up to 8 passphrases I believe, one of which should be an Admin key and should not be shared. These can vary, though you can have the same passphrase in more than one slot which some have suggested as a backup of the primary passphrase. The advantage over other models, besides being cross-platform, is that you can have multiple access keys with a single encryption key. That way, you can disable one passphrase, without compromising the access of others or having to re-encrypt the whole partition with a new key. LUKS does support the use of a USB key, though I have not used it myself. More info here: http://www.saout.de/tikiwiki/tiki-index.php?page=LUKSFaq and there are probably other references available via Google searches. HTH, Marc Schwartz -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
