I am writing a Chef LWRP to add a key to a LUKS container and I'm having difficulty coming up with a way to determine whether or not my key already exists. cryptsetup luksAddKey
will happily add the same keyfile multiple times, so I can't simply keep calling luksAddKey
each Chef run.
So far, the best that I have come up with is
cryptsetup luksDump /dev/xvdf1 --dump-master-key --key-file <thenewkey> > /dev/null
That seems:
- CPU intensive
- not very secure
Anyone have a better idea?
Thanks!
I don't see any chance for testing a key without unlocking the volume (at least referring to the CPU load). But who doesn't have this few CPU seconds? Do you have lots of LUKS volumes per system?
You can alternatively do this:
Every time you add a key you store a digest of the file (that need not even be a secure digest; even MD5 would do). You make a directory
/etc/my_luks_keyfiles
. For every LUKS volume in the system you create a subdir with the UUID (cryptsetup luksUUID /dev/bla
). If you add a key then you create a file with e.g. the timestamp as name and the digest as content. If you remove a key then you remove the file. If you want to know whether a key is active then you compare all files in the directory against the digest (i.e. you need not transfer the key file).And if there are more or less files than active slots then you know you messed it up...