Multiple passphrase volume decryption on Linux

Posted on

Problem :

Is there any way to decrypt a volume that’s been encrypted using a “standard” or commonly used volume encryption system (such as LUKS) using multiple passphrases? I’ve been searching for something that could do it, but haven’t found anything indicating it’s possible.

If there isn’t a way of doing this natively with LUKS, I’m wondering if anyone has tried to build a custom way of doing it – possibly storing the volume decryption key / passphrase in an encrypted file that can be decrypted by multiple users (e.g. gpg --encrypt --recipient user1 --recipient user2 luks-passphrase.txt) – how would one go about about automating prompts to decrypt on boot?

Brief background on the use-case: I want to configure a workstation that a number of users can log on to. /home is to be encrypted, but I don’t want to use a shared key to distribute between users – each user should be able to boot and log into the system using private, non-shared credentials.

If LUKS won’t work, then I’d look at GPG encrypted loopback disks | Patrick Uiterwijk Blog as an alternative system.

Solution :

So this feature is natively available in cryptsetup. e.g.

# cryptsetup luksAddKey --key-slot 1 /dev/sda2

Leave a Reply

Your email address will not be published. Required fields are marked *