Is there any way to decrypt a volume that’s been encrypted using a “standard” or commonly used volume encryption system (such as LUKS) using multiple passphrases? I’ve been searching for something that could do it, but haven’t found anything indicating it’s possible.
If there isn’t a way of doing this natively with LUKS, I’m wondering if anyone has tried to build a custom way of doing it – possibly storing the volume decryption key / passphrase in an encrypted file that can be decrypted by multiple users (e.g.
gpg --encrypt --recipient user1 --recipient user2 luks-passphrase.txt) – how would one go about about automating prompts to decrypt on boot?
Brief background on the use-case: I want to configure a workstation that a number of users can log on to.
/home is to be encrypted, but I don’t want to use a shared key to distribute between users – each user should be able to boot and log into the system using private, non-shared credentials.
If LUKS won’t work, then I’d look at GPG encrypted loopback disks | Patrick Uiterwijk Blog as an alternative system.
So this feature is natively available in cryptsetup. e.g.
# cryptsetup luksAddKey --key-slot 1 /dev/sda2