From: Jeff Diehl <diehl.jeff@gmail.com>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] LUKS credential management at an enterprise level
Date: Thu, 07 Mar 2013 21:28:36 -0500 [thread overview]
Message-ID: <51394CD4.4050605@gmail.com> (raw)
In-Reply-To: <20130307211746.GA6183@tansi.org>
On 3/7/2013 4:17 PM, Arno Wagner wrote:
> In principle, any tool that can reasonably interface to
> a commandline interface can do this, see the FAQ and
> the man-page.
>
Thanks. I did note that this was an option.
> On the other hand, password rotation is a dead-end, and makes the
> problem worse, see e.g.
>
> http://www.schneier.com/blog/archives/2010/11/changing_passwo.html
> http://transvasive.com/index.php?option=com_content&id=46
>
> The basic problem is that password rotation prevents the use
> of good, harder to remember passwords, while at the same
> time it does noting to increase security. Once somebody halfway
> competent has broken in, they will put in their own backdoor anyways.
> In the few instances I am subject to this stupid measure, I have taken
> to just attach the number of the month to the password.
>
I probably should have made clear early on that the machines I am
interested in managing are not end-user machines. They are a set of
"servers" in a data center. I am looking for "enterprise" features that
would allow me to manage LUKS credentials for a group of machines (~50
boxen). These machines are not restarted with any frequency and the LUKS
credentials are only ever needed by an authorized system administrator
after a reboot. For various compliance reasons outside of my control,
password rotation is required. In addition, I occasionally have a need
to update/modify LUKS passwords for this group of machines on-demand
(e.g. exiting an employee). Managing the machines individually is
possible but cumbersome and before creating a "home-grown" solution, I
wanted to see if there was something already available.
> The one enterprise feature that is important is a recovery
> password. For LUKS, this could be enforced either by policy, or
> by an adjusted set-up tool. For example, you could mandate that
> keyslot 8 always needs to contain a company recovery password
> or that a long, random password has to be put into keyslot 8
> and then stored in a sealed envelope in a safe.
>
Thanks. We use a process very similar to this for recovery.
--
JD
next prev parent reply other threads:[~2013-03-08 2:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-07 20:27 [dm-crypt] LUKS credential management at an enterprise level Jeff Diehl
2013-03-07 21:17 ` Arno Wagner
2013-03-08 2:28 ` Jeff Diehl [this message]
2013-03-08 4:29 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51394CD4.4050605@gmail.com \
--to=diehl.jeff@gmail.com \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.