encrypted second partition needing more than 1 key to unlock
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
encrypted second partition needing more than 1 key to unlock
I'm trying to create an encrypted partition on a server which requires two passphrases from a pool of 4 to unlock - all keys can work together. The idea being the disk is usually unmounted unless we want to gain access, then two people can use their keys to unlock it - it must be a combination of any two though otherwise it defeats the object. Additionally, these two people can be at different locations and accessing the box via SSH.
In short "no"... primarily because encrypted partitions use symmetric encryption which uses a single key (i.e. one key to decrypt and encrypt) and you can't have two keys at once....
However, you can treat the key to the encrypted partition as a "session key" (similar in concept to PGP) in which you encrypt it using the RSA keys of your intended "key holders". What you describe is a bit more tricky though because what I described allows any one of the multiple keys to decrypt the session key. In your case you would need to encrypt the session key multiple times with said keys.
For example, one person decrypts the first stage, and the second person takes the output from the first person and uses their RSA key to decrypt the session key. This can get kind of messy though.
What is the problem you're trying to solve? It sounds pretty edge case and unique.
In short "no"... primarily because encrypted partitions use symmetric encryption which uses a single key (i.e. one key to decrypt and encrypt) and you can't have two keys at once....
However, you can treat the key to the encrypted partition as a "session key" (similar in concept to PGP) in which you encrypt it using the RSA keys of your intended "key holders". What you describe is a bit more tricky though because what I described allows any one of the multiple keys to decrypt the session key. In your case you would need to encrypt the session key multiple times with said keys.
For example, one person decrypts the first stage, and the second person takes the output from the first person and uses their RSA key to decrypt the session key. This can get kind of messy though.
What is the problem you're trying to solve? It sounds pretty edge case and unique.
Right, this sounds like it's getting far messier than I want. It's a proof of concept more than anything else - it's basically secure storage of a few files on a remote server which won't be accessed often. The reason for requiring two keys is for security - we don't want anyone to gain access to the files by themselves, for security reasons there needs to be two people involved. Obviously this doesn't rule out collusion, but it makes it that much harder to gain access to the files if you want to do something nefarious/malicious.
Is there any other way you can think of which would achieve roughly the same purpose?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.