How to manage disk encryption passphrases and key slots

in security, Tutorials/Tips / on October 6, 2010 at 2:51 pm /
I am reading page: 1 2

Now, when you do a cryptsetup luksDump /dev/sdaX, you will see that you now have two key slots (key slot 0 and key slot 1) in ENABLED status.

luks_05

Two active key slots

With a backup passphrase in place, it is now save to delete the first key that you wanted to delete. And you delete a key, that is, disable a key slot, by typing cryptsetup luksKillSlot /dev/sdaX Y. In this command, “Y” is the key slot that you want to disable. In this particular case, the command will be cryptsetup luksKillSlot /dev/sda7 0 because we are attempting to delete the passphrase stored in the first key slot (key slot 0).

luks_06

Deleting a passphrase

If you do another cryptsetup luksDump /dev/sdaX, you will see that the first key slot, key slot 0, is in DISABLED status.

luks_07

Key dump

Now that you have just one active passphrase, you may want to create another one as a backup, and you can create one in any of the available key slots, including the one you just disabled.

I hope the information presented here has given you some insight into disk encryption passphrase management. This is introductory information. There are more advanced key management tasks that I will address in a future post. Corrections and questions are welcome.

0saves
Save
To have articles like this delivered automatically to your Feed Reader or Inbox, subscribe via RSS or email. For simple comments, use the commenting system, but for more involved assistance, please use the Question & Answer section.
I am reading page: 1 2

Tags: , ,

3 Comments

  1. Tim says:
    September 1, 2011 at 7:58 am

    Opensuse also supports disk encryption (and LVM) natively in its GUI install program.

    Reply

Leave a Comment