Can luks in fedora 10 , encrypt using a combination of keys and passphrase

[Marc Schwartz]

Bruno Wolff III <bruno at wolff.to> writes:

> On Mon, Dec 08, 2008 at 14:10:58 +0530,
>   Huzaifa Sidhpurwala <huzaifas at redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Yep,
>> I am wondering if i can have one slot filled by a passphrase and the
>> second one by a key, do you know if that is possible?
>
> There is an encrypted copy of the disk key in each slot. The key for each
> slot appears to be a string. It can be entered as a passphrass or a key
> file. That much is clear from the cryptsetup documentation. You had
> mentioned a public key system before, but I don't think that makes much
> sense to use. The key file allows you to use keys with lots of entropy, but
> the advantage to that is somewhat negated if the users will have passphrases
> of their choosing that they use to get at the disks.

The dm-crypt/LUKS model has a *single* key that actually does the
underlying encryption/decryption.

The passphrase entered by the user, unlocks access to the key so that
encryption/decryption takes place. 

You can have up to 8 passphrases I believe, one of which should be an
Admin key and should not be shared. These can vary, though you can have
the same passphrase in more than one slot which some have suggested as a
backup of the primary passphrase.

The advantage over other models, besides being cross-platform, is that
you can have multiple access keys with a single encryption key. That
way, you can disable one passphrase, without compromising the access of
others or having to re-encrypt the whole partition with a new key.

LUKS does support the use of a USB key, though I have not used it
myself. More info here:

  http://www.saout.de/tikiwiki/tiki-index.php?page=LUKSFaq

and there are probably other references available via Google searches.

HTH,

Marc Schwartz