[dm-crypt] pashphrase management question

ClEmFoster clemfoster at lookafish.com
Wed Oct 26 23:08:23 CEST 2016


On Wed, October 26, 2016 2:39 pm, Michael Kjörling wrote:
> On 26 Oct 2016 10:43 -0600, from clemfoster at lookafish.com (ClEmFoster):
>
>> The problem is they are going to start requiring that
>> these machines also receive a passphrase change every 3 or 6 months.
>
> Not sure what threat model that is meant to protect against, but...


Agreed, but I have no say in this requirement.


>
>
>
>> cryptsetup for luks requires an existing passphrase to add/change
>> another. Physical interaction to change passphrase is not very realistic
>> for 100+ machines.  Ideally I would like to change the password via an
>> automated system.
>
> Perhaps unless you are running an ancient cryptsetup, and assuming
> that you really are working with LUKS (not plain dm-crypt), the manual page
> explicitly states that the passphrases do not need to be provided
> interactively:
>
>
> luksChangeKey <device> [<new key file>]
>
> Changes an existing passphrase. The passphrase to be changed
> must be supplied interactively or via --key-file. The new passphrase can be
> supplied interactively or in a file given as positional argument. /.../
> <options> can be [--key-file, --keyfile-offset, --keyfile-size,
> --new-keyfile-offset, --new-keyfile-size, --key-slot].
>
>
> That should be all you need.

I did read that in the man page, but if you want a passphrase changed in
that manor then you have to put the new and old passphrase in a file plain
text.  Unless I am missing something.  I was hoping to fine some way to
encrypt it before passing it in.  like you can do with other applications.


>
>
> --
> Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
> “People who think they know everything really annoy those of us who know
> we don’t.” (Bjarne Stroustrup)
> _______________________________________________
> dm-crypt mailing list dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
>
>


Thanks

Travis



More information about the dm-crypt mailing list