LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-12-2013, 06:10 PM   #1
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Rep: Reputation: 16
Conversion to Key-Based Luks


Is there a utility anywhere that would allow me to convert an existing Luks password-based whole disk encryption system over to a key-based system? Can I
just luksAddKey, luksKillSlot 0, updateramfs to kill the passphrase? (I got lots of irreplaceable stuff in them. I'll right after next tar-czf.)

Is there advantage to trying to do this one step at a time? Do the luksAddKey then use it for a week, etc.

I'm getting tired of memorizing all these darn passwords and phrases. I have too many systems for too many flavors of work and play. I think I'll just use a couple thumbdrives and specify them in the crypttabs (if this can work).

I noticed that Macs can do something similar. They can convert on-the-fly an entire disk system over to a passworded disk.

But keyfiles are way simpler!
 
Old 05-15-2013, 01:04 AM   #2
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Debian, Arch, Xubuntu
Posts: 171

Rep: Reputation: 12
I'm currently experimenting with luks/cryptsetup too. Personally I wouldn't kill the password slot just yet. In case you manage to mess something up you'll no longer have access to the partition, if you wipe the pw slot.

Although I haven't managed to setup my system yet, I've read a number of docs for cryptsetup/crypttab. Accordingly you need to setup a keyscript in the crypttab to read a keyfile from a usb thumb drive. At least on debian-based systems you would modify the crypttab with proper parameters and then invoke "update-initramfs -u" as root.

The keyscripts on my system (debian wheezy) are located in /lib/cryptsetup/scripts. I think there was a script that waits for a specific device to appear, then read something from it and pass that to cryptsetup to unlock the partition.

Here's an example of a doc I found on google:
http://binblog.info/2008/12/04/using...ks-passphrase/
Although this uses a custom keyscript I'd try to reuse existing scripts.


Be careful though, if you lose your thumb drive, you lose all access (make backups). Not to mention whoever finds the device will have full access to all of your devices secured in this manner.
 
Old 05-15-2013, 08:41 PM   #3
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Original Poster
Rep: Reputation: 16
Thanks displace. Your webpage helped.
I've been using the following pages off Google:
http://madduck.net/docs/cryptdisk/ and
https://www.martineve.com/2012/11/02...le-passphrase/
I did a simplified step 1 and step 4 from the www.martineve site just to set up an external disk using an internal keyfile. I used /dev/random not urandom . I wonder why he suggested urandom?

I think I might try adding a keyfile right on the boot disk (test try) on an installed system that doesn't matter if I lose it (so much). I'll play in that sandbox before going to the real thing.

And I agree about the "where not to store keyfiles" problem. I really just want this for the thief with physical access when I'm gone or sleeping or whatever. I'll store a tiny MMC SSD in my wallet and/or deposit box. Then I can forget passphrases...which get forgotten with non-use anyway.

This assumes that the "slots" are each alternate ways into the machine. I had thought if you had two slots (a passphrase and a keyfile), you needed to supply BOTH to get in. If you're sure about that, then I'll go ahead.

And i don't think a backup thumbdrive would help unless you can guarantee mounting on exactly the same /dev/name or exactly the same UUID. What if your (init) ramfs space won't look at the badkup?
ttyl
 
Old 05-16-2013, 12:57 AM   #4
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Debian, Arch, Xubuntu
Posts: 171

Rep: Reputation: 12
If you're talking about multiple active LUKS slots then you only have to open up one slot to access the data. If there are mulitple active slots this means you can unlock the encrypted partition multiple ways. This is why I suggested you do not wipe the password slot. In case you messed up the keyfile slot you'll still be able to access the data by using the password slot.

Playing in a sandbox is a good idea, I'm doing essentially the same thing. I have a spare laptop where I'm experimenting with luks/cryptsetup and trying to setup two-factor boot authentication with limited success. With two-factor or multi-factor authentication you need *all* credentials to access the disk, unlike LUKS. The setup I'm working on is a simple keyfile + passphrase. The boot partition, the bootloader and the keyfile will be located on an external USB thumbdrive where the PC will boot from. The system data will be fully encrypted on the HDD and of course I will hold the last part (the password) in my brains.


A backup is a must. Even if your computers don't look for this backup device you'll at least still be able to manually unlock the data. But this should not happen - the initramfs should be setup to look on multiple devices for keyfiles - you don't have to set it up to search by UUID, you can use device paths (/dev/sdb1) or filesystem labels instead.

Last edited by displace; 05-16-2013 at 12:59 AM.
 
Old 05-16-2013, 04:50 PM   #5
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Original Poster
Rep: Reputation: 16
thanks again, I gonna give you a SOLVED
 
  


Reply

Tags
cryptsetup, luks


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
changing a LUKS encrypted partition's key Cultist Slackware 1 03-20-2012 12:13 PM
cryptsetup luks key file sam42 Linux - Security 1 09-22-2011 01:11 AM
Luks File Encryption Key- Use an Jpeg Image? dman777 Linux - Security 7 04-27-2011 01:55 PM
luks crupted Partition, accessible olny with a key-file paliga Linux - Security 1 01-05-2011 07:30 PM
Public key crypto with LUKS/dm-crypt? keschrich Linux - Security 0 10-31-2006 03:01 PM


All times are GMT -5. The time now is 09:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration