RHEL 5x

Anyone know if its possible on RHEL with ecryptfs to "rekey" the encrypted data? Specifically if using public key to protect the data key, though i would also be interested in passphrase.


Thanks!

This is to comply with things like PCI/DSS where encryption keys have to change regularly.

I was looking at dm-crypt but that didn't look to support any kind of rekey short of data re-encryption and movement between partitions.

I am far from being what I would consider to be an expert in PKI, but I think that this statement is a fundamental function of the encryption process. When you encrypt the file system, you create a key set which is used to encrypt and decrypt the data. The resulting 'hash' is then a mathematical function of the key itself. Consequently in order to 're-key' the data would require it to be decrypted and then re-crypted with the new key. Changing the pass-phrase may be a more workable solution. Off hand I don't know if ecryptfs supports this, but the standard GPG tool does, so it may be built into the key structure.

One thing you might consider is not to encrypt the whole drive or partition, but rather to create a small partition, like a "private" directory. You can create a large file, e.g. several megabytes / gigabytes, and use ecryptfs to make it into an encrypted, mountable volume. This way you could simply create a new volume and copy the data from the old one to the new one - Presto - re-keyed with and with a new pass phrase.

Well, I agree, the symetric data key used to encrypt the actual data, for the purposes of this thread, lets call that the "Data Key". Changing that key, would require reencrypting all the data that corresponds to that key. However in a smarter implementation, that data key is typically encrpted and stored with the data with some kind of key encrypting. In the case of ecryptfs, i thought that was the passphrase, that was used to seed some other symetric key. So, in effect, if i change the passphrase, I am rekeying the key encrypting key. while not changing the data key, or the encrypted data.

If i was then to not use a pass-phrase, and to use an asymetric keypair, i am hoping i could just change the asym key pair, or the key encrypting key.

However I'm not sure if that is how changing the passphrase works with ecryptfs, nor have i been able to find much reference on changing the asym keypair, if that is being used instead of a passphrase.

With dm-crypt, if you use LUKS, you can have multiple keys to encrypt / decrypt and expire them at will or add additionals. I've never used ecryptfs. Only dm-crypt.