[dm-crypt] Quorum system on decryption passphrase

[dm-crypt] Quorum system on decryption passphrase

[Fernando D. Pedemonte]

[-- Attachment #1: Type: text/plain, Size: 298 bytes --]

Dear List 

I am trying to setup an encrypted partition, and I requiere 2 people of 3 putting a pass-phrase to unlock the device. 
Is there any way that I can setup in the system to require keys in two different slots to unlock the device? 

Thanks in advance for your response 
Best Regards 
FP- 

[-- Attachment #2: Type: text/html, Size: 543 bytes --]

Re: [dm-crypt] Quorum system on decryption passphrase

[Fulano Diego Perez]

you wrote:
> and I requiere 2 people of 3 putting a pass-phrase to unlock the device. 

Three may keep a secret, if two of them are dead.
- Benjamin Franklin, 1735

;-)

Re: [dm-crypt] Quorum system on decryption passphrase

[Sven Eschenberg]

Hi Fernando,

I am not sure about what you are asking. Do you mean that a (single) 
person needs to enter 2 (different) passphrases for 2 (different) slots, 
to unlock the device? If so, the answer is no, as each keyslot, when it 
is unlocked, gives you the device encryption key.

If you are asking if you can give 2 different passphrases to two people, 
where each phrase unlocks one of the slots - yes, that is the very 
purpose of LUKS.

Reagrds

-Sven

P.S.: You might want to clarify your question a little more, if you are 
asking something else.


Am 30.03.2016 um 15:18 schrieb Fernando D. Pedemonte:
> Dear List
>
> I am trying to setup an encrypted partition, and I requiere 2 people of
> 3 putting a pass-phrase to unlock the device.
> Is there any way that I can setup in the system to require keys in two
> different slots to unlock the device?
>
> Thanks in advance for your response
> Best Regards
> FP-
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>

Re: [dm-crypt] Quorum system on decryption passphrase

[Sven Eschenberg]

Hi Fernando,

No, dm-crypt/LUKS does not provide for such a modus operandi. BTW, 
there's even a difference between, you need exactly 2 out of n, or at 
least 2 out of n. (The latter being the two-man-rule).

Anyhow, this is out of LUKS' scope - you can however split the 
passphrase and distribute it among the 3 people such that your 
requirements are met.

Regards

-Sven

Am 30.03.2016 um 16:54 schrieb Fulano Diego Perez:
>
>
> you wrote:
>> and I requiere 2 people of 3 putting a pass-phrase to unlock the device.
>
> Three may keep a secret, if two of them are dead.
> - Benjamin Franklin, 1735
>
> ;-)
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>

Re: [dm-crypt] Quorum system on decryption passphrase

[Milan Broz]

On 03/30/2016 03:18 PM, Fernando D. Pedemonte wrote:
> Dear List
> 
> I am trying to setup an encrypted partition, and I requiere 2 people of 3 putting a pass-phrase to unlock the device.
> Is there any way that I can setup in the system to require keys in two different slots to unlock the device?

If you mean something like Shamir's secret sharing (you need N of M parts to unlock the key),
LUKS doesn't provide this directly, but Clevis/Tang project is going this way (in development).
See end of slides from DevConf - http://slides.com/npmccallum/devconf16#/35
(Not usable yet but good to know about it :-)

Milan

Re: [dm-crypt] Quorum system on decryption passphrase

[Michael Kjörling]

On 30 Mar 2016 18:27 +0200, from gmazyland@gmail.com (Milan Broz):
> If you mean something like Shamir's secret sharing (you need N of M
> parts to unlock the key),
> LUKS doesn't provide this directly, but Clevis/Tang project is going
> this way (in development).

Shamir's was my first thought too. While LUKS doesn't provide this
natively (any one passphrase is sufficient to unlock the container),
what you want can probably be cobbled together using a passphrase file
which is split using Shamir's secret sharing.

For example, you could generate a random passphrase of sufficient
entropy to be secure, and for storage split that into three parts two
of which are required (using regular Shamir's secret sharing). This
should be as secure as 2 out of 3 Shamir's secret sharing can be.

To unlock the container, two of the three individuals get together,
somehow present their respective pieces, and some software combines
them to form the passphrase that is used to unlock the container.

To make it more difficult to access the passphrase while unlocking the
container, you might run it all on a ramfs from within an initrd or
similar.

It should work. Whether it will be secure enough depends on your
threat model. Obviously.

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

Re: [dm-crypt] Quorum system on decryption passphrase

[Selim James Levy]

[-- Attachment #1: Type: text/plain, Size: 1109 bytes --]

Hi Fernando,

There could be an ugly-ish hack to accomplish what you need.  It isn't
scalable to a (much) larger number of people, however.

Let the 3 people's names be be A, B, and C (in that alphabetical order) and
their respective passphrases be A*, B*, and C*.

You could tell the three people that if 2 of the three wanted access, they
would type in their passphrases *one after the other* in the person's
(name) alphabetical order.  You would then only need 3 passphrases: A*B*,
A*C*, and B*C*.

As I said: this is an ugly hack.

Best Regards,
Selim

On 30 March 2016 at 09:18, Fernando D. Pedemonte <
fernando.pedemonte@infodat.com.ar> wrote:

> Dear List
>
> I am trying to setup an encrypted partition, and I requiere 2 people of 3
> putting a pass-phrase to unlock the device.
> Is there any way that I can setup in the system to require keys in two
> different slots to unlock the device?
>
> Thanks in advance for your response
> Best Regards
> FP-
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
>

[-- Attachment #2: Type: text/html, Size: 1932 bytes --]

Re: [dm-crypt] Quorum system on decryption passphrase

[Arno Wagner]

Hi FP,

no, you cannot. You can simulate it though:
Say the persons have passphases aaa bbb and ccc.
set-up passphrases aaabbb aaaccc and bbbccc and have a
wrapper-script that concatenates the two inputs from the 
persons and hands it to cryptsetup. (Or use libcruptsetup 
and a C program.)

Regards,
Arno


On Wed, Mar 30, 2016 at 15:18:54 CEST, Fernando D. Pedemonte wrote:
>    Dear List
>    I am trying to setup an encrypted partition, and I requiere 2 people of
>    3 putting a pass-phrase to unlock the device.
>    Is there any way that I can setup in the system to require keys in two
>    different slots to unlock the device?
>    Thanks in advance for your response
>    Best Regards
>    FP-

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: [dm-crypt] Quorum system on decryption passphrase

[Fernando D. Pedemonte]

[-- Attachment #1: Type: text/plain, Size: 1575 bytes --]

Thanks for your quick responses, I was thinking in a solution like this one. But I wanted to check with the experts before doing it hehe. 
Since i only need 2 of 3 quorum, I will adopt this hack 

Best Regards 
FP- 


From: "Selim James Levy" <sjtlevy@gmail.com> 
To: "Fernando D. Pedemonte" <fernando.pedemonte@infodat.com.ar> 
Cc: "dm-crypt" <dm-crypt@saout.de> 
Sent: Wednesday, March 30, 2016 2:14:53 PM 
Subject: Re: [dm-crypt] Quorum system on decryption passphrase 

Hi Fernando, 
There could be an ugly-ish hack to accomplish what you need. It isn't scalable to a (much) larger number of people, however. 

Let the 3 people's names be be A, B, and C (in that alphabetical order) and their respective passphrases be A*, B*, and C*. 

You could tell the three people that if 2 of the three wanted access, they would type in their passphrases *one after the other* in the person's (name) alphabetical order. You would then only need 3 passphrases: A*B*, A*C*, and B*C*. 

As I said: this is an ugly hack. 

Best Regards, 
Selim 

On 30 March 2016 at 09:18, Fernando D. Pedemonte < fernando.pedemonte@infodat.com.ar > wrote: 



Dear List 

I am trying to setup an encrypted partition, and I requiere 2 people of 3 putting a pass-phrase to unlock the device. 
Is there any way that I can setup in the system to require keys in two different slots to unlock the device? 

Thanks in advance for your response 
Best Regards 
FP- 

_______________________________________________ 
dm-crypt mailing list 
dm-crypt@saout.de 
http://www.saout.de/mailman/listinfo/dm-crypt 






[-- Attachment #2: Type: text/html, Size: 3041 bytes --]