Multiple pass keys with LUKS

Mumia W. · External Since: Apr 09, 2007 Posts: 53

Hello. I'm trying to set up a LUKS partition to accept multiple,
different passkeys. I have no problem specifying two binary key files in
two different key slots, but I can't get cryptsetup to accept a new, but
different passphrase for the new key.

For example, I want the key in slot 0 to accept a passphrase of
"BillClinton", and I want the key in slot 1 to accept a passphrase of
"AlGore"; how do I do this?

I'm using Debian Lenny i586 and cryptsetup 1.0.6.

Baho Utot · External Since: Oct 16, 2009 Posts: 3

On Thu, 15 Oct 2009 19:37:49 -0500, Mumia W. wrote:

> Hello. I'm trying to set up a LUKS partition to accept multiple,
> different passkeys. I have no problem specifying two binary key files in
> two different key slots, but I can't get cryptsetup to accept a new, but
> different passphrase for the new key.
>
> For example, I want the key in slot 0 to accept a passphrase of
> "BillClinton", and I want the key in slot 1 to accept a passphrase of
> "AlGore"; how do I do this?
>
> I'm using Debian Lenny i586 and cryptsetup 1.0.6.

Well look at what you did politictions have no trust,

Why do you think you could get and untrusted politiction to be trusted?

--
GNU/Linux runs on IBM mainframes and on the world's fastest supercomputers
Windows supercomputers on the other hand are called botnets. <grin>

Mumia W. · External Since: Apr 09, 2007 Posts: 53

Mumia W. wrote:
> Hello. I'm trying to set up a LUKS partition to accept multiple,
> different passkeys. I have no problem specifying two binary key files in
> two different key slots, but I can't get cryptsetup to accept a new, but
> different passphrase for the new key.
>
> For example, I want the key in slot 0 to accept a passphrase of
> "BillClinton", and I want the key in slot 1 to accept a passphrase of
> "AlGore"; how do I do this?
>
> I'm using Debian Lenny i586 and cryptsetup 1.0.6.
>

Any ideas?

marrgol · External Since: Mar 19, 2009 Posts: 4

On 2009-10-16 02:37, Mumia W. wrote:
> Hello. I'm trying to set up a LUKS partition to accept multiple,
> different passkeys. I have no problem specifying two binary key files in
> two different key slots, but I can't get cryptsetup to accept a new, but
> different passphrase for the new key.

What do you mean by "new, but different passphrase for the new key"?
Maybe show the cryptsetup command you issue and the (error?) message
you get?

> For example, I want the key in slot 0 to accept a passphrase of
> "BillClinton", and I want the key in slot 1 to accept a passphrase of
> "AlGore"; how do I do this?

I think you might have missed the concept. Wink

Each LUKS partition
is encrypted with one and only one master key created when you
luksFormat the partition (it is generated for you, normally you don't
even know it). The keys you supply by either typing in passphrases or
by specifying key files are used to encrypt/decrypt the master key,
and these encrypted master keys are what is stored in the slots.
In simple words, you can use either a passphrase or a key file per
slot, never both...

--
mrg

Robert Nichols · External Since: Apr 23, 2004 Posts: 171

In article <M66dnV30I-HaMkXXnZ2dnUVZ_jJi4p2d.RemoveThis@earthlink.com>,
Mumia W. <paduille.4061.mumia.w+nospam@earthlink.net> wrote:
:Mumia W. wrote:
:> Hello. I'm trying to set up a LUKS partition to accept multiple,
:> different passkeys. I have no problem specifying two binary key files in
:> two different key slots, but I can't get cryptsetup to accept a new, but
:> different passphrase for the new key.
:>
:> For example, I want the key in slot 0 to accept a passphrase of
:> "BillClinton", and I want the key in slot 1 to accept a passphrase of
:> "AlGore"; how do I do this?
:>
:> I'm using Debian Lenny i586 and cryptsetup 1.0.6.

A given LUKS key slot can use either a passphrase OR a key file, not
both. What gets stored in the slot is the (invariant) master key
encrypted by a key which is a hash of either a passphrase OR a key file.
I don't know what you are doing that makes you believe you have a key
slot containing a binary key protected by a passphrase, but that is not
what you are getting. When you run

cryptsetup luksAddKey /dev/whatever my-new-key-file

and are prompted for a passphrase, you need to supply an existing
passphrase that can decrypt the master key so that the master key can
now be encrypted using the new key file and stored in a new slot. The
passphrase that you enter is not associated with that new slot.

If you want to protect your key file with a passphrase, then you have to
use some mechanism independent of the LUKS encryption of the partition
you are trying to access. Unfortunately, LUKS makes it difficult to use
something other than an ordinary file for a key file.

--
Bob Nichols AT comcast.net I am "RNichols42"

Mumia W. · External Since: Apr 09, 2007 Posts: 53

Robert Nichols wrote:
> In article <M66dnV30I-HaMkXXnZ2dnUVZ_jJi4p2d.TakeThisOut@earthlink.com>,
> Mumia W. <paduille.4061.mumia.w+nospam@earthlink.net> wrote:
> :Mumia W. wrote:
> :> Hello. I'm trying to set up a LUKS partition to accept multiple,
> :> different passkeys. I have no problem specifying two binary key files in
> :> two different key slots, but I can't get cryptsetup to accept a new, but
> :> different passphrase for the new key.
> :>
> :> For example, I want the key in slot 0 to accept a passphrase of
> :> "BillClinton", and I want the key in slot 1 to accept a passphrase of
> :> "AlGore"; how do I do this?
> :>
> :> I'm using Debian Lenny i586 and cryptsetup 1.0.6.
>
> A given LUKS key slot can use either a passphrase OR a key file, not
> both. What gets stored in the slot is the (invariant) master key
> encrypted by a key which is a hash of either a passphrase OR a key file.
> I don't know what you are doing that makes you believe you have a key
> slot containing a binary key protected by a passphrase, but that is not
> what you are getting. When you run
>
> cryptsetup luksAddKey /dev/whatever my-new-key-file
>
> and are prompted for a passphrase, you need to supply an existing
> passphrase that can decrypt the master key so that the master key can
> now be encrypted using the new key file and stored in a new slot. The
> passphrase that you enter is not associated with that new slot.
>
> If you want to protect your key file with a passphrase, then you have to
> use some mechanism independent of the LUKS encryption of the partition
> you are trying to access. Unfortunately, LUKS makes it difficult to use
> something other than an ordinary file for a key file.
>

Thanks to both you, Robert, and Marrgol, I've got it. Yes, you were
correct that I was confused about LUKS. I was making it too complicated,
but when I did a simple "cryptsetup luksAddKey <device>," I was able to
add the new password easily. Thanks.

Mumia W. · External Since: Apr 09, 2007 Posts: 53

marrgol wrote:
> On 2009-10-16 02:37, Mumia W. wrote:
>> Hello. I'm trying to set up a LUKS partition to accept multiple,
>> different passkeys. I have no problem specifying two binary key files in
>> two different key slots, but I can't get cryptsetup to accept a new, but
>> different passphrase for the new key.
>
> What do you mean by "new, but different passphrase for the new key"?
> Maybe show the cryptsetup command you issue and the (error?) message
> you get?
>
>> For example, I want the key in slot 0 to accept a passphrase of
>> "BillClinton", and I want the key in slot 1 to accept a passphrase of
>> "AlGore"; how do I do this?
>
> I think you might have missed the concept. Wink

Each LUKS partition
> is encrypted with one and only one master key created when you
> luksFormat the partition (it is generated for you, normally you don't
> even know it). The keys you supply by either typing in passphrases or
> by specifying key files are used to encrypt/decrypt the master key,
> and these encrypted master keys are what is stored in the slots.
> In simple words, you can use either a passphrase or a key file per
> slot, never both...
>
>

Thank you. I am beginning to understand.