[dm-crypt] pashphrase management question
clemfoster at lookafish.com
Wed Oct 26 23:08:23 CEST 2016
On Wed, October 26, 2016 2:39 pm, Michael KjÃ¶rling wrote:
> On 26 Oct 2016 10:43 -0600, from clemfoster at lookafish.com (ClEmFoster):
>> The problem is they are going to start requiring that
>> these machines also receive a passphrase change every 3 or 6 months.
> Not sure what threat model that is meant to protect against, but...
Agreed, but I have no say in this requirement.
>> cryptsetup for luks requires an existing passphrase to add/change
>> another. Physical interaction to change passphrase is not very realistic
>> for 100+ machines. Ideally I would like to change the password via an
>> automated system.
> Perhaps unless you are running an ancient cryptsetup, and assuming
> that you really are working with LUKS (not plain dm-crypt), the manual page
> explicitly states that the passphrases do not need to be provided
> luksChangeKey <device> [<new key file>]
> Changes an existing passphrase. The passphrase to be changed
> must be supplied interactively or via --key-file. The new passphrase can be
> supplied interactively or in a file given as positional argument. /.../
> <options> can be [--key-file, --keyfile-offset, --keyfile-size,
> --new-keyfile-offset, --new-keyfile-size, --key-slot].
> That should be all you need.
I did read that in the man page, but if you want a passphrase changed in
that manor then you have to put the new and old passphrase in a file plain
text. Unless I am missing something. I was hoping to fine some way to
encrypt it before passing it in. like you can do with other applications.
> Michael KjÃ¶rling â¢ https://michael.kjorling.se â¢ michael at kjorling.se
> âPeople who think they know everything really annoy those of us who know
> we donât.â (Bjarne Stroustrup)
> dm-crypt mailing list dm-crypt at saout.de
More information about the dm-crypt