dm-crypt.saout.de archive mirror
 help / color / mirror / Atom feed
From: Milan Broz <gmazyland@gmail.com>
To: Misha Gusarov <dottedmag@dottedmag.net>, dm-crypt@saout.de
Subject: Re: [dm-crypt] Creating a LUKS container with a pre-made Argon hash
Date: Tue, 22 Dec 2020 14:42:06 +0100	[thread overview]
Message-ID: <5f77202f-ac76-66c4-5700-e00e516f68e6@gmail.com> (raw)
In-Reply-To: <AF493130-BDEA-4B81-ACDA-6C206D21C634@dottedmag.net>

On 12/12/2020 00:07, Misha Gusarov wrote:
> I'm trying to do an unattended rollout of Linux installations with FDE 
> set up.
> I would like to avoid storing credentials in the configuration 
> repository though.
> 
> Is there a way to pass a pre-made Argon password hash to cryptsetup to 
> use to
> generate a new master key, or is the plaintext password needed for this 
> operation?

No, there is no such function.

Not sure if I understand this use case, but you cannot regenerate
master (volume) key without providing input that unlocks keyslot
that stores that key. (Or you need to provide the whole binary
keyslot area).

But you can later regenerate volume key with reencrypt command.

(Some deployed systems call this during first boot.)

Milan


_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt

      parent reply	other threads:[~2020-12-22 13:43 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-11 23:07 [dm-crypt] Creating a LUKS container with a pre-made Argon hash Misha Gusarov
2020-12-11 23:07 ` Misha Gusarov
2020-12-22 13:42 ` Milan Broz [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5f77202f-ac76-66c4-5700-e00e516f68e6@gmail.com \
    --to=gmazyland@gmail.com \
    --cc=dm-crypt@saout.de \
    --cc=dottedmag@dottedmag.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).