All of lore.kernel.org
 help / color / mirror / Atom feed
* [dm-crypt] Restricting rights of a particular slot of the 8 slots of passphrases for LUKS
@ 2018-05-03  2:01 Suresh Govindachar
  2018-05-03  2:44 ` Arno Wagner
  0 siblings, 1 reply; 2+ messages in thread
From: Suresh Govindachar @ 2018-05-03  2:01 UTC (permalink / raw)
  To: dm-crypt

Hello,

My understanding is that LUKS supports 8 passphrases and that knowing 
any one of them allows one to operate on the LUKS header, for example, 
to change the passphrases in all the slots, to copy the exposed header 
etc.  Is it possible to restrict the rights of a particular slot, say, 
slot 8, to only getting read/write access to the data and no access to 
the LUKS header?  If such were the case, an IT department could deploy 
laptops to employees with the employees' passphrase occupying the 
special slot.

If such a feature does not exist what commands would need to be removed 
from the employees' sudo rights to achieve the same end?

Thanks,

--Suresh

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [dm-crypt] Restricting rights of a particular slot of the 8 slots of passphrases for LUKS
  2018-05-03  2:01 [dm-crypt] Restricting rights of a particular slot of the 8 slots of passphrases for LUKS Suresh Govindachar
@ 2018-05-03  2:44 ` Arno Wagner
  0 siblings, 0 replies; 2+ messages in thread
From: Arno Wagner @ 2018-05-03  2:44 UTC (permalink / raw)
  To: dm-crypt

Hi Suresh,

no, that does not exist. As cryptsetup is callad as root,
such a restriction would not make much sense anyways.

Via sudo, you could completely forbid cryptsetup and only
allow the commands you want wia scripts. You would habe to lock 
down the rest of the system pretty tightly though for that to 
work.

Why not tell your employes to stay away from, say, slot 8
and keep a header backup just in case? If you do not trust 
your employees, you have lost anyways.
Regards,
Arno

On Thu, May 03, 2018 at 04:01:29 CEST, Suresh Govindachar wrote:
> Hello,
> 
> My understanding is that LUKS supports 8 passphrases and that knowing any
> one of them allows one to operate on the LUKS header, for example, to change
> the passphrases in all the slots, to copy the exposed header etc.  Is it
> possible to restrict the rights of a particular slot, say, slot 8, to only
> getting read/write access to the data and no access to the LUKS header?  If
> such were the case, an IT department could deploy laptops to employees with
> the employees' passphrase occupying the special slot.
> 
> If such a feature does not exist what commands would need to be removed from
> the employees' sudo rights to achieve the same end?
> 
> Thanks,
> 
> --Suresh
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-05-03  2:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-03  2:01 [dm-crypt] Restricting rights of a particular slot of the 8 slots of passphrases for LUKS Suresh Govindachar
2018-05-03  2:44 ` Arno Wagner

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.