[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dm-crypt
Subject:    [dm-crypt] Multiple Keys
From:       darren.grant () adslnation ! com (Darren Grant)
Date:       2009-10-23 10:58:00
Message-ID: 888F5036-1442-432F-959A-4D2C2ADB31D2 () adslnation ! com
[Download RAW message or body]

Thanks Sven

Thanks for the suggestion that does seem plausible. There are  
obviously two ways I could do this put the GPG key on the server and  
luks keys on the USB stick or luks keys on the server and GPC on the  
server.

Seems for convenience a good idea to use GPG to create a keyfile that  
I could put on an external USB stick and then I can put any number of  
encrypted luks keys on the internal flash for various partitions  
without having to update every external USB key. It would also mean  
that the same USB key could be used on more than one machine if  
necessary. The downside of that is there would be no way of revoking  
one key as revoking the GPG key it would stop all USB keys from  
working and there would be no traceability as to who's key was used to  
access the server.

For maximum security it would seem the other way round would be  
better, put the GPG key on the server and the luks keys on the USB  
stick that way each stick can have a unique luks key making it easy  
to  revoke that key if the USB stick is lost, copied or otherwise  
abused. The down side being each time a new partition is added with a  
new key file every USB key would need to be updated.

Any other pro's/cons people can think of for which way round would be  
best ?

Then just a case now of figuring out how to get GPG to decrypt the  
luks key during boot, at least my root partition is not encrypted so  
no problems there. Anyone already using this sort of set-up ?

Thanks
Darren


On 23 Oct 2009, at 01:01, Sven Eschenberg wrote:

> DM-crypt itself does not have such an option, but the following  
> might be possible:
>
> Encrypt the actual luks key with gpg. You would need the gpg  
> passphrase (or key for that mattter) to obtain the 'unencrypted'  
> luks key, which in turn is used to retrieve the actual luks  
> masterkey stored in the volume.
>
> Another way of looking at this: You need gpg and some key (or  
> passphrase), to obtain you luks passphrase.
>
> Would that be feasible for you?
>
> Regards
>
> -Sven

[prev in list] [next in list] [prev in thread] [next in thread]