[dm-crypt] LUKS credential management at an enterprise level
diehl.jeff at gmail.com
Fri Mar 8 03:28:36 CET 2013
On 3/7/2013 4:17 PM, Arno Wagner wrote:
> In principle, any tool that can reasonably interface to
> a commandline interface can do this, see the FAQ and
> the man-page.
Thanks. I did note that this was an option.
> On the other hand, password rotation is a dead-end, and makes the
> problem worse, see e.g.
> The basic problem is that password rotation prevents the use
> of good, harder to remember passwords, while at the same
> time it does noting to increase security. Once somebody halfway
> competent has broken in, they will put in their own backdoor anyways.
> In the few instances I am subject to this stupid measure, I have taken
> to just attach the number of the month to the password.
I probably should have made clear early on that the machines I am
interested in managing are not end-user machines. They are a set of
"servers" in a data center. I am looking for "enterprise" features that
would allow me to manage LUKS credentials for a group of machines (~50
boxen). These machines are not restarted with any frequency and the LUKS
credentials are only ever needed by an authorized system administrator
after a reboot. For various compliance reasons outside of my control,
password rotation is required. In addition, I occasionally have a need
to update/modify LUKS passwords for this group of machines on-demand
(e.g. exiting an employee). Managing the machines individually is
possible but cumbersome and before creating a "home-grown" solution, I
wanted to see if there was something already available.
> The one enterprise feature that is important is a recovery
> password. For LUKS, this could be enforced either by policy, or
> by an adjusted set-up tool. For example, you could mandate that
> keyslot 8 always needs to contain a company recovery password
> or that a long, random password has to be put into keyslot 8
> and then stored in a sealed envelope in a safe.
Thanks. We use a process very similar to this for recovery.
More information about the dm-crypt