[dm-crypt] LUKS credential management at an enterprise level
arno at wagner.name
Thu Mar 7 22:17:46 CET 2013
In principle, any tool that can reasonably interface to
a commandline interface can do this, see the FAQ and
On the other hand, password rotation is a dead-end, and makes the
problem worse, see e.g.
The basic problem is that password rotation prevents the use
of good, harder to remember passwords, while at the same
time it does noting to increae security. Once somebody halfway
competent has broken in, they will put in their own backdoor anyways.
In the few instances I am subject to this stupid measure, I have taken
to just attach the number fo the month to the password.
The one enterprise feature that is important is a recovery
password. For LUKS, this could be enforced either by policy, or
by an adjusted set-up tool. For example, you could mandate that
keyslot 8 always needs to contain a company recovery password
or that a long, random password has to be put into keyslot 8
and then stored in a sealed envelope in a safe.
On Thu, Mar 07, 2013 at 03:27:56PM -0500, Jeff Diehl wrote:
> Is anyone aware of a product/tool that can manage LUKS credentials
> at an enterprise level. More specifically, something that can deal
> with things like password rotation.
> dm-crypt mailing list
> dm-crypt at saout.de
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell
More information about the dm-crypt