* [dm-crypt] Restricting rights of a particular slot of the 8 slots of passphrases for LUKS
@ 2018-05-03 2:01 Suresh Govindachar
2018-05-03 2:44 ` Arno Wagner
0 siblings, 1 reply; 2+ messages in thread
From: Suresh Govindachar @ 2018-05-03 2:01 UTC (permalink / raw)
To: dm-crypt
Hello,
My understanding is that LUKS supports 8 passphrases and that knowing
any one of them allows one to operate on the LUKS header, for example,
to change the passphrases in all the slots, to copy the exposed header
etc. Is it possible to restrict the rights of a particular slot, say,
slot 8, to only getting read/write access to the data and no access to
the LUKS header? If such were the case, an IT department could deploy
laptops to employees with the employees' passphrase occupying the
special slot.
If such a feature does not exist what commands would need to be removed
from the employees' sudo rights to achieve the same end?
Thanks,
--Suresh
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [dm-crypt] Restricting rights of a particular slot of the 8 slots of passphrases for LUKS
2018-05-03 2:01 [dm-crypt] Restricting rights of a particular slot of the 8 slots of passphrases for LUKS Suresh Govindachar
@ 2018-05-03 2:44 ` Arno Wagner
0 siblings, 0 replies; 2+ messages in thread
From: Arno Wagner @ 2018-05-03 2:44 UTC (permalink / raw)
To: dm-crypt
Hi Suresh,
no, that does not exist. As cryptsetup is callad as root,
such a restriction would not make much sense anyways.
Via sudo, you could completely forbid cryptsetup and only
allow the commands you want wia scripts. You would habe to lock
down the rest of the system pretty tightly though for that to
work.
Why not tell your employes to stay away from, say, slot 8
and keep a header backup just in case? If you do not trust
your employees, you have lost anyways.
Regards,
Arno
On Thu, May 03, 2018 at 04:01:29 CEST, Suresh Govindachar wrote:
> Hello,
>
> My understanding is that LUKS supports 8 passphrases and that knowing any
> one of them allows one to operate on the LUKS header, for example, to change
> the passphrases in all the slots, to copy the exposed header etc. Is it
> possible to restrict the rights of a particular slot, say, slot 8, to only
> getting read/write access to the data and no access to the LUKS header? If
> such were the case, an IT department could deploy laptops to employees with
> the employees' passphrase occupying the special slot.
>
> If such a feature does not exist what commands would need to be removed from
> the employees' sudo rights to achieve the same end?
>
> Thanks,
>
> --Suresh
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-05-03 2:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-03 2:01 [dm-crypt] Restricting rights of a particular slot of the 8 slots of passphrases for LUKS Suresh Govindachar
2018-05-03 2:44 ` Arno Wagner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.