watersb
Apprentice
Joined: 04 Sep 2002
Posts: 297
Location: take a left turn in Tesuque
|
 Posted: Mon Oct 11, 2004 7:45 pm Post subject: Re: multiple key encrypted root file system |
 |
|
| Toxy wrote: | | I've looked at the loop-AES readme and they do have a small howto for multiple keys but I need to know how the users get added to the key chain. More of what I need to know is on the gpg side and then maybe the initrd portion of the howto. |
You are on the right track -- basically, the use of GPG to add additional "users" to the key decryption is covered in GPG tutorials, not Loop-AES specific.
Before reading further, please note that I'm speculating here! I have not yet tried this, but I believe the core concepts to be correct, even if the details are wrong. I post these speculations in the hopes that it will get people thinking along the right track, but do not use these commands on important data until you have verified the correct procedures yourself.
To create a disk-encryption key that can be used by more than one person (where a person is defined as the holder of a private key of an asymmetric key pair), try this:
| Code: |
gpg --output disk-key.asc --encrypt --recipient user1 --recipient user2 disk-key.raw
|
Then you can use user1's private key every day, and "escrow" user2's key in a safe place.
Note that GPG maintains a seperate password for each user's keychain -- and that using GPG means that you can change your GPG password without changing the disk encryption key. So if you believe that an attacker has sniffed your password, but does not (yet) have physical access to your hard disk, you could make their attack less likely to reveal your hard-disk data by changing your GPG password.
My favorite introduction to GPG is Mike Bauer's articles at LinuxJournal:
http://www.linuxjournal.com/article.php?sid=4828
http://www.linuxjournal.com/article.php?sid=4892
Gentoo Keychain also supports GPG:
http://www.gentoo.org/proj/en/keychain/index.xml |
|
Networking & Security
