[dm-crypt] pashphrase management question

Michael Kjörling michael at kjorling.se
Wed Oct 26 22:39:37 CEST 2016

On 26 Oct 2016 10:43 -0600, from clemfoster at lookafish.com (ClEmFoster):
> The problem is they are going to start requiring that
> these machines also receive a passphrase change every 3 or 6 months.

Not sure what threat model that is meant to protect against, but...

> cryptsetup for luks requires an existing passphrase to add/change another.
>  Physical interaction to change passphrase is not very realistic for 100+
> machines.  Ideally I would like to change the password via an automated
> system.

Perhaps unless you are running an ancient cryptsetup, and assuming
that you really are working with LUKS (not plain dm-crypt), the manual
page explicitly states that the passphrases do not need to be provided

       luksChangeKey <device> [<new key file>]

              Changes an existing passphrase. The passphrase to be changed
              must be supplied interactively or via --key-file. The new
              passphrase can be supplied interactively or in a file given as
              positional argument.
              <options> can be [--key-file, --keyfile-offset, --keyfile-size,
              --new-keyfile-offset, --new-keyfile-size, --key-slot].

That should be all you need.

Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

More information about the dm-crypt mailing list