LUKS inside LUKS
Does anyone know if it is possible to load a LUKS inside a LUKS?
I mean one outer LUKS then LVM then LUKS for individual partitions, so you can differentiate between the passwords for the extra partitions.
The idea is then to have the outer LUKS pass its password to the root partition of the inner luks.
There is a thing called decrypt_keyctl that will maintain a password between decrypted devices.
The idea would then be to have a crypttab with:
so sda5 is a crypted device that opens onto sda5_crypt (mapped), which is opened by LVM which results in several partitions such as "cryptroot" in the volume group "kubuntu", this cryptroot obtains the same key as the initial sda5/sda5_crypt device (through decrypt_keyctl) allowing it to be opened without further ado.
then the final mapping is /dev/mapper/kubuntu-cryptroot unto /dev/mapper/decrypted_root which is the filesystem with ext3 on it, in my case.
This allows for several volumes to be either encrypted or not encrypted, or encrypted with different passwords, or not at all, depending on a base system that allows for a rather meagre or mediocre password.
Then you can have a differential setup in which the base system is easier to gain access to than a deeper level. This allows for several levels, or parts, to your crypt defense. The most sensitive data can then be stored on a crypt device that does not obtain access directly from your access to the main system.
This requires that at boot-up there are two rounds to the decrypting: a first round where the LVM is opened, and a second round where discovered crypto devices are opened from within the LVM.
--I believe I have seen something of the kind in the cryptroot/initramfs scripts.--
But I am unable to test it at this point.
I mean one outer LUKS then LVM then LUKS for individual partitions, so you can differentiate between the passwords for the extra partitions.
The idea is then to have the outer LUKS pass its password to the root partition of the inner luks.
There is a thing called decrypt_keyctl that will maintain a password between decrypted devices.
The idea would then be to have a crypttab with:
Code:
sda5_crypt /dev/sda5 keyid luks,keyscript=decrypt_keyctl decrypted_root /dev/mapper/kubuntu-cryptroot keyid luks,keyscript=decrypt_keyctl
then the final mapping is /dev/mapper/kubuntu-cryptroot unto /dev/mapper/decrypted_root which is the filesystem with ext3 on it, in my case.
This allows for several volumes to be either encrypted or not encrypted, or encrypted with different passwords, or not at all, depending on a base system that allows for a rather meagre or mediocre password.
Then you can have a differential setup in which the base system is easier to gain access to than a deeper level. This allows for several levels, or parts, to your crypt defense. The most sensitive data can then be stored on a crypt device that does not obtain access directly from your access to the main system.
This requires that at boot-up there are two rounds to the decrypting: a first round where the LVM is opened, and a second round where discovered crypto devices are opened from within the LVM.
--I believe I have seen something of the kind in the cryptroot/initramfs scripts.--
But I am unable to test it at this point.
Comment