Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 10-01-2010, 09:28 AM   #1
Registered: Mar 2010
Distribution: zLinux, RHEL, Ubuntu, SUSE
Posts: 50

Rep: Reputation: 16


Anyone know if its possible on RHEL with ecryptfs to "rekey" the encrypted data? Specifically if using public key to protect the data key, though i would also be interested in passphrase.


This is to comply with things like PCI/DSS where encryption keys have to change regularly.

I was looking at dm-crypt but that didn't look to support any kind of rekey short of data re-encryption and movement between partitions.
Old 10-01-2010, 06:39 PM   #2
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
was looking at dm-crypt but that didn't look to support any kind of rekey short of data re-encryption and movement between partitions
I am far from being what I would consider to be an expert in PKI, but I think that this statement is a fundamental function of the encryption process. When you encrypt the file system, you create a key set which is used to encrypt and decrypt the data. The resulting 'hash' is then a mathematical function of the key itself. Consequently in order to 're-key' the data would require it to be decrypted and then re-crypted with the new key. Changing the pass-phrase may be a more workable solution. Off hand I don't know if ecryptfs supports this, but the standard GPG tool does, so it may be built into the key structure.

One thing you might consider is not to encrypt the whole drive or partition, but rather to create a small partition, like a "private" directory. You can create a large file, e.g. several megabytes / gigabytes, and use ecryptfs to make it into an encrypted, mountable volume. This way you could simply create a new volume and copy the data from the old one to the new one - Presto - re-keyed with and with a new pass phrase.
Old 10-03-2010, 11:17 AM   #3
Registered: Mar 2010
Distribution: zLinux, RHEL, Ubuntu, SUSE
Posts: 50

Original Poster
Rep: Reputation: 16
Well, I agree, the symetric data key used to encrypt the actual data, for the purposes of this thread, lets call that the "Data Key". Changing that key, would require reencrypting all the data that corresponds to that key. However in a smarter implementation, that data key is typically encrpted and stored with the data with some kind of key encrypting. In the case of ecryptfs, i thought that was the passphrase, that was used to seed some other symetric key. So, in effect, if i change the passphrase, I am rekeying the key encrypting key. while not changing the data key, or the encrypted data.

If i was then to not use a pass-phrase, and to use an asymetric keypair, i am hoping i could just change the asym key pair, or the key encrypting key.

However I'm not sure if that is how changing the passphrase works with ecryptfs, nor have i been able to find much reference on changing the asym keypair, if that is being used instead of a passphrase.
Old 10-04-2010, 03:22 AM   #4
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
With dm-crypt, if you use LUKS, you can have multiple keys to encrypt / decrypt and expire them at will or add additionals. I've never used ecryptfs. Only dm-crypt.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Auto-mounting an ecryptfs partition which is on a usb drive mike11 Linux - Newbie 3 06-01-2010 10:44 AM
[SOLVED] eCryptfs/ext4/Ubuntu 10.04 riganta Linux - Laptop and Netbook 3 05-20-2010 10:57 AM
[ECRYPTFS] ecryptfs_init_miscdev: Error whilst attempting to open [/dev/ecryptfs] nitinarora Linux - Kernel 0 03-22-2010 05:36 AM
Use ecryptfs for FTP login security? epolanco Linux - Security 4 08-27-2009 02:53 PM
ecryptfs installation problem nkd Linux - Security 3 10-02-2007 03:30 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:19 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration