[dm-crypt] pashphrase management question

ClEmFoster clemfoster at lookafish.com
Wed Oct 26 23:40:40 CEST 2016


On Wed, October 26, 2016 3:21 pm, Sven Eschenberg wrote:
>

>
> Am 26.10.2016 um 23:08 schrieb ClEmFoster:
>
>> On Wed, October 26, 2016 2:39 pm, Michael Kjörling wrote:
>>
>
>>> luksChangeKey <device> [<new key file>]
>>>
>>> Changes an existing passphrase. The passphrase to be changed
>>> must be supplied interactively or via --key-file. The new passphrase
>>> can be supplied interactively or in a file given as positional
>>> argument. /.../ <options> can be [--key-file, --keyfile-offset,
>>> --keyfile-size,
>>> --new-keyfile-offset, --new-keyfile-size, --key-slot].
>>>
>>>
>>>
>>> That should be all you need.
>>>
>>
>> I did read that in the man page, but if you want a passphrase changed
>> in that manor then you have to put the new and old passphrase in a file
>> plain text.  Unless I am missing something.  I was hoping to fine some
>> way to encrypt it before passing it in.  like you can do with other
>> applications.
>>
>
> That makes absolutely no sense to me. Why would you want to encrypt a
> passphrase? Or in other words, what's wrong with binary files? Or don't you
> want to store the files on disk? Then be reminded: STDIN and STDOUT are
> files, and can be connected to pipes.
>

I think keyfile and Passphrase are being confused here.

This whole disk OS is not booted yet when an admin has to type in the
passphrase.  Once the OS is running it is true a keyfile could be used but
then it would also have to be rotated.  I am looking to change the
passphrase on a 100+ machines utilizing some kind of automated system.  If
I didn't have an IDM I could generate the hash for any given user and
automation could edit the shadow file.  I was looking for something
similar, where I didn't have to have a plain text passphrase sitting on a
central server.

>
>>
>>>
>>>
>>> --
>>> Michael Kjörling • https://michael.kjorling.se •
>>> michael at kjorling.se “People who think they know everything really
>>> annoy those of us who know we don’t.” (Bjarne Stroustrup)
>>> _______________________________________________
>>> dm-crypt mailing list dm-crypt at saout.de
>>> http://www.saout.de/mailman/listinfo/dm-crypt
>>>
>>>
>>>
>>>
>>
>>
>> Thanks
>>
>>
>> Travis
>>
>>
>> _______________________________________________
>> dm-crypt mailing list dm-crypt at saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>>
>>
>
> -Sven
> _______________________________________________
> dm-crypt mailing list dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
>

Travis



More information about the dm-crypt mailing list