Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Anyone know if its possible on RHEL with ecryptfs to "rekey" the encrypted data? Specifically if using public key to protect the data key, though i would also be interested in passphrase.
Thanks!
This is to comply with things like PCI/DSS where encryption keys have to change regularly.
I was looking at dm-crypt but that didn't look to support any kind of rekey short of data re-encryption and movement between partitions.
was looking at dm-crypt but that didn't look to support any kind of rekey short of data re-encryption and movement between partitions
I am far from being what I would consider to be an expert in PKI, but I think that this statement is a fundamental function of the encryption process. When you encrypt the file system, you create a key set which is used to encrypt and decrypt the data. The resulting 'hash' is then a mathematical function of the key itself. Consequently in order to 're-key' the data would require it to be decrypted and then re-crypted with the new key. Changing the pass-phrase may be a more workable solution. Off hand I don't know if ecryptfs supports this, but the standard GPG tool does, so it may be built into the key structure.
One thing you might consider is not to encrypt the whole drive or partition, but rather to create a small partition, like a "private" directory. You can create a large file, e.g. several megabytes / gigabytes, and use ecryptfs to make it into an encrypted, mountable volume. This way you could simply create a new volume and copy the data from the old one to the new one - Presto - re-keyed with and with a new pass phrase.
Well, I agree, the symetric data key used to encrypt the actual data, for the purposes of this thread, lets call that the "Data Key". Changing that key, would require reencrypting all the data that corresponds to that key. However in a smarter implementation, that data key is typically encrpted and stored with the data with some kind of key encrypting. In the case of ecryptfs, i thought that was the passphrase, that was used to seed some other symetric key. So, in effect, if i change the passphrase, I am rekeying the key encrypting key. while not changing the data key, or the encrypted data.
If i was then to not use a pass-phrase, and to use an asymetric keypair, i am hoping i could just change the asym key pair, or the key encrypting key.
However I'm not sure if that is how changing the passphrase works with ecryptfs, nor have i been able to find much reference on changing the asym keypair, if that is being used instead of a passphrase.
With dm-crypt, if you use LUKS, you can have multiple keys to encrypt / decrypt and expire them at will or add additionals. I've never used ecryptfs. Only dm-crypt.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.