Bug 485427 - LUKS multiple keys/passphrases support
Summary: LUKS multiple keys/passphrases support
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: cryptsetup-luks
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: LVM and device-mapper development team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-13 15:26 UTC by eblix08
Modified: 2009-03-11 00:11 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-03-11 00:11:28 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description eblix08 2009-02-13 15:26:58 UTC
I would like to see support for LUKS multiple keys/passphrases.

Specifically I have two senarios:
1) Needle in the haystack.  I would like to place a directory on the boot partition with a few hundred key-file.  At login I am prompted for my passphrase, which is currently how Fedora works.  After I enter my passphrase I am prompted for my key-file(s), a simple text box that I can enter a comma delimited list of key-files to use.  E.G. 5, 23, 192

An important note, in order for the 1st senario to work any metadata about when the files were access must be scrubbed.  If I have a hundred key-file but three of them show the same last accessed date then it would defeat the purpose.

2) I would like to be able to put in a usb key with key-files on it.  And as with senario 1 I would be prompted for a comma delimited list of key-files to use.

How I would envision this working is the boot-loader would search all availalble drives for a specific directory name e.g. luks-keys.  In this directory would be the files it use for keys.

sda1
-luks-keys(dir)
--1 (key-file just named "1")
--key3.txt (key-files named anything the user wishes)
--5
--23
--192

sdb1
-luks-keys(dir)
--2
--3
--44

sdb3
-luks-keys(dir)
--22
--33
--444

Comment 1 Till Maas 2009-03-11 00:11:28 UTC
Just append the list of key-files to your passphrase instead, e.g. if you used the passphrase "this is my passphrase" use instead "this is my passphrase 5, 23, 192". Then you get imho the same effect wrt. to the work needed to brute force the passphrase.

If you also want some keyfile on usb support in /etc/crypttab, please open a bug report against the package initscripts.


Note You need to log in before you can comment on or make changes to this bug.