[dm-crypt] Restricting rights of a particular slot of the 8 slots of passphrases for LUKS

Suresh Govindachar sgovindachar at yahoo.com
Thu May 3 04:01:29 CEST 2018


Hello,

My understanding is that LUKS supports 8 passphrases and that knowing 
any one of them allows one to operate on the LUKS header, for example, 
to change the passphrases in all the slots, to copy the exposed header 
etc.  Is it possible to restrict the rights of a particular slot, say, 
slot 8, to only getting read/write access to the data and no access to 
the LUKS header?  If such were the case, an IT department could deploy 
laptops to employees with the employees' passphrase occupying the 
special slot.

If such a feature does not exist what commands would need to be removed 
from the employees' sudo rights to achieve the same end?

Thanks,

--Suresh


More information about the dm-crypt mailing list