[dm-crypt] Restricting rights of a particular slot of the 8 slots of passphrases for LUKS

Arno Wagner arno at wagner.name
Thu May 3 04:44:48 CEST 2018

Hi Suresh,

no, that does not exist. As cryptsetup is callad as root,
such a restriction would not make much sense anyways.

Via sudo, you could completely forbid cryptsetup and only
allow the commands you want wia scripts. You would habe to lock 
down the rest of the system pretty tightly though for that to 

Why not tell your employes to stay away from, say, slot 8
and keep a header backup just in case? If you do not trust 
your employees, you have lost anyways.

On Thu, May 03, 2018 at 04:01:29 CEST, Suresh Govindachar wrote:
> Hello,
> My understanding is that LUKS supports 8 passphrases and that knowing any
> one of them allows one to operate on the LUKS header, for example, to change
> the passphrases in all the slots, to copy the exposed header etc.  Is it
> possible to restrict the rights of a particular slot, say, slot 8, to only
> getting read/write access to the data and no access to the LUKS header?  If
> such were the case, an IT department could deploy laptops to employees with
> the employees' passphrase occupying the special slot.
> If such a feature does not exist what commands would need to be removed from
> the employees' sudo rights to achieve the same end?
> Thanks,
> --Suresh
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

More information about the dm-crypt mailing list