Bug 485427 - LUKS multiple keys/passphrases support
LUKS multiple keys/passphrases support
Product: Fedora
Classification: Fedora
Component: cryptsetup-luks (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: LVM and device-mapper development team
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-02-13 10:26 EST by eblix08
Modified: 2009-03-10 20:11 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-03-10 20:11:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description eblix08 2009-02-13 10:26:58 EST
I would like to see support for LUKS multiple keys/passphrases.

Specifically I have two senarios:
1) Needle in the haystack.  I would like to place a directory on the boot partition with a few hundred key-file.  At login I am prompted for my passphrase, which is currently how Fedora works.  After I enter my passphrase I am prompted for my key-file(s), a simple text box that I can enter a comma delimited list of key-files to use.  E.G. 5, 23, 192

An important note, in order for the 1st senario to work any metadata about when the files were access must be scrubbed.  If I have a hundred key-file but three of them show the same last accessed date then it would defeat the purpose.

2) I would like to be able to put in a usb key with key-files on it.  And as with senario 1 I would be prompted for a comma delimited list of key-files to use.

How I would envision this working is the boot-loader would search all availalble drives for a specific directory name e.g. luks-keys.  In this directory would be the files it use for keys.

--1 (key-file just named "1")
--key3.txt (key-files named anything the user wishes)


Comment 1 Till Maas 2009-03-10 20:11:28 EDT
Just append the list of key-files to your passphrase instead, e.g. if you used the passphrase "this is my passphrase" use instead "this is my passphrase 5, 23, 192". Then you get imho the same effect wrt. to the work needed to brute force the passphrase.

If you also want some keyfile on usb support in /etc/crypttab, please open a bug report against the package initscripts.

Note You need to log in before you can comment on or make changes to this bug.