[dm-crypt] pashphrase management question

Sven Eschenberg sven at whgl.uni-frankfurt.de
Thu Oct 27 00:09:27 CEST 2016



Am 26.10.2016 um 23:40 schrieb ClEmFoster:
> On Wed, October 26, 2016 3:21 pm, Sven Eschenberg wrote:
>>
>
>>
>> Am 26.10.2016 um 23:08 schrieb ClEmFoster:
>>
>>> On Wed, October 26, 2016 2:39 pm, Michael Kjörling wrote:
>>>
>>
>>>> luksChangeKey <device> [<new key file>]
>>>>
>>>> Changes an existing passphrase. The passphrase to be changed
>>>> must be supplied interactively or via --key-file. The new passphrase
>>>> can be supplied interactively or in a file given as positional
>>>> argument. /.../ <options> can be [--key-file, --keyfile-offset,
>>>> --keyfile-size,
>>>> --new-keyfile-offset, --new-keyfile-size, --key-slot].
>>>>
>>>>
>>>>
>>>> That should be all you need.
>>>>
>>>
>>> I did read that in the man page, but if you want a passphrase changed
>>> in that manor then you have to put the new and old passphrase in a file
>>> plain text.  Unless I am missing something.  I was hoping to fine some
>>> way to encrypt it before passing it in.  like you can do with other
>>> applications.
>>>
>>
>> That makes absolutely no sense to me. Why would you want to encrypt a
>> passphrase? Or in other words, what's wrong with binary files? Or don't you
>> want to store the files on disk? Then be reminded: STDIN and STDOUT are
>> files, and can be connected to pipes.
>>
>
> I think keyfile and Passphrase are being confused here.
>

No, they are pretty much the same, with some constraints however. The 
actual key is encrypted by the passphrase, a disk can (obviously) only 
have one encryption key.

> This whole disk OS is not booted yet when an admin has to type in the
> passphrase.  Once the OS is running it is true a keyfile could be used but
> then it would also have to be rotated.  I am looking to change the
> passphrase on a 100+ machines utilizing some kind of automated system.  If
> I didn't have an IDM I could generate the hash for any given user and
> automation could edit the shadow file.  I was looking for something
> similar, where I didn't have to have a plain text passphrase sitting on a
> central server.

You are misled in the principles of operation, I think. A password, that 
is hashed, can only authenticate, LUKS however does not use passphrases 
to authenticate, but to reconstruct the key - Simply put, your 
passphrase decrypts the actual disk key. Thus your passphrase itself 
becomes a key.

You are free however to do what you want outside cryptsetup, you could 
use the passphrase's hash as passphrase and store that. When a user 
inputs the passphrase, hash it first and then hand it over to cryptsetup.

You can store the passphrase in a keyring (central location) and have a 
copy of that on the target machine. The user then unlocks the keyring to 
retrieve the passphrase for cryptsetup.

I can think of further options, but it all depends on the exact goal.

>
>>
>>>
>>>>
>>>>
>>>> --
>>>> Michael Kjörling • https://michael.kjorling.se •
>>>> michael at kjorling.se “People who think they know everything really
>>>> annoy those of us who know we don’t.” (Bjarne Stroustrup)
>>>> _______________________________________________
>>>> dm-crypt mailing list dm-crypt at saout.de
>>>> http://www.saout.de/mailman/listinfo/dm-crypt
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> Thanks
>>>
>>>
>>> Travis
>>>
>>>
>>> _______________________________________________
>>> dm-crypt mailing list dm-crypt at saout.de
>>> http://www.saout.de/mailman/listinfo/dm-crypt
>>>
>>>
>>
>> -Sven
>> _______________________________________________
>> dm-crypt mailing list dm-crypt at saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>>
>>
>
> Travis
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>


More information about the dm-crypt mailing list