[dm-crypt] pashphrase management question
michael at kjorling.se
Wed Oct 26 22:39:37 CEST 2016
On 26 Oct 2016 10:43 -0600, from clemfoster at lookafish.com (ClEmFoster):
> The problem is they are going to start requiring that
> these machines also receive a passphrase change every 3 or 6 months.
Not sure what threat model that is meant to protect against, but...
> cryptsetup for luks requires an existing passphrase to add/change another.
> Physical interaction to change passphrase is not very realistic for 100+
> machines. Ideally I would like to change the password via an automated
Perhaps unless you are running an ancient cryptsetup, and assuming
that you really are working with LUKS (not plain dm-crypt), the manual
page explicitly states that the passphrases do not need to be provided
luksChangeKey <device> [<new key file>]
Changes an existing passphrase. The passphrase to be changed
must be supplied interactively or via --key-file. The new
passphrase can be supplied interactively or in a file given as
<options> can be [--key-file, --keyfile-offset, --keyfile-size,
--new-keyfile-offset, --new-keyfile-size, --key-slot].
That should be all you need.
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
“People who think they know everything really annoy
those of us who know we don’t.” (Bjarne Stroustrup)
More information about the dm-crypt