[dm-crypt] LUKS credential management at an enterprise level

Arno Wagner arno at wagner.name
Thu Mar 7 22:17:46 CET 2013


In principle, any tool that can reasonably interface to
a commandline interface can do this, see the FAQ and
the man-page. 

On the other hand, password rotation is a dead-end, and makes the
problem worse, see e.g.

 http://www.schneier.com/blog/archives/2010/11/changing_passwo.html
 http://transvasive.com/index.php?option=com_content&id=46

The basic problem is that password rotation prevents the use
of good, harder to remember passwords, while at the same
time it does noting to increae security. Once somebody halfway
competent has broken in, they will put in their own backdoor anyways.
In the few instances I am subject to this stupid measure, I have taken
to just attach the number fo the month to the password.

The one enterprise feature that is important is a recovery 
password. For LUKS, this could be enforced either by policy, or 
by an adjusted set-up tool. For example, you could mandate that
keyslot 8 always needs to contain a company recovery password 
or that a long, random password has to be put into keyslot 8 
and then stored in a sealed envelope in a safe.

Arno

On Thu, Mar 07, 2013 at 03:27:56PM -0500, Jeff Diehl wrote:
> Is anyone aware of a product/tool that can manage LUKS credentials
> at an enterprise level.  More specifically, something that can deal
> with things like password rotation.
> 
> --
> JD
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell


More information about the dm-crypt mailing list