Difference between revisions of "User:Indigo/Test1"

From ArchWiki
Jump to navigation Jump to search
(Removing LUKS keys)
m (Cryptsetup actions specific for LUKS: hoovering)
Line 1: Line 1:
== Cryptsetup actions specific for LUKS ==
=== Key management ===
It is possible to define up to 8 different keys per LUKS partition. This enables the user to create access keys for save backup storage. Also a different key-slot could be used to grant access to a partition to a user by issuing a second key and later revoking it again. Passphrases or key-files to a key may be changed.
Once an encrypted partition has been created, the initial keyslot 0 is created (if no other was specified manually). Additional keyslots are numbered from 1 to 7. Which keyslots are used can be seen by issuing
{{hc|# cryptsetup luksDump /dev/<device> <nowiki>|</nowiki>grep BLED|
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: ENABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED}}
==== Adding LUKS keys ====
Adding new keyslots is accomplished using cryptsetup with the {{ic|luksAddKey}} action. For safety it will always, i.e. also for already unlocked devices, ask for a valid existing key ("any passphrase") before a new one may be entered:
# cryptsetup luksAddKey /dev/<device> (/path/to/<additionalkeyfile>)
Enter any passphrase:
Enter new passphrase for key slot:
Verify passphrase:
Where <device> is the volume containing the LUKS header to which the new keyslot is added. This works on header backup files as well.
If {{ic|/path/to/<additionalkeyfile>}} is given, cryptsetup will add a new keyslot for <additionalkeyfile>. Otherwise a new passphrase will be prompted for twice.
For getting the master key from an existing ''keyfile'' keyslot the {{ic|--key-file}} or {{ic|-d}} option followed by the "old" <keyfile> will try to unlock all available keyfile keyslots.
# cryptsetup luksAddKey /dev/<device> (/path/to/<additionalkeyfile>) -d /path/to/<keyfile>
If it is intended to use multiple keys and change or revoke them, the {{ic|--key-slot}} or {{ic|-S}} option may be used to specify the slot:
# cryptsetup luksAddKey /dev/<device> -S 6
Enter any passphrase:
Enter new passphrase for key slot:
Verify passphrase:
# cryptsetup luksDump /dev/sda8 |grep 'Slot 6'
Key Slot 6: ENABLED
Now we decide to change the key right away 
# cryptsetup luksChangeKey /dev/<device> -S 6
Enter LUKS passphrase to be changed:
Enter new LUKS passphrase:
before continuing to remove it.
==== Removing LUKS keys ====
There are two different actions to remove keys from the header:
*{{ic|luksRemoveKey}} is used to remove a key by specifying its passphrase/key-file and
*{{ic|luksKillSlot}} may be used to remove a key from a specific key slot (using another key). Obviously, this is extremely useful if you have forgot a passphrase, lost a key-file, or have no access to it.
{{warning|Both above actions can be used to irrevocably delete the last active passphrase or key to an encrypted device!}}
For above warning it is good to know the key we want to '''keep''' is valid. An easy check is to unlock the device with the {{ic|-v}} option, which will specify which slot it occupies: 
{{bc|# cryptsetup -v open /dev/<device> testcrypt
Enter passphrase for /dev/<device>:
Key slot 1 unlocked.
Command successful.}}
Now we remove can remove the key added above like:
# cryptsetup luksRemoveKey /dev/<device>
Enter LUKS passphrase to be deleted:
If we had used the same passphrase for two keyslots, the first slot would be wiped now. Only executing it again would remove the second one.
Alternatively, we can specify the key slot:
# cryptsetup luksKillSlot /dev/<device> 6
Enter any remaining LUKS passphrase:
Note that in both cases, no confirmation was required.
# cryptsetup luksDump /dev/sda8 |grep 'Slot 6'
Key Slot 6: DISABLED
To stick with the warning above: If the same passphrase had been used for key slots 1 and 6, both would be gone now.

Revision as of 18:42, 18 June 2014