Re: [Encfs-users] key rotation
Brought to you by:
vgough
Menu
▾
▴
Re: [Encfs-users] key rotation
|
From: Valient G. <va...@gm...> - 2008-09-22 10:34:09
|
If you want to change the password, then use the encfsctl program. There shouldn't be any problem doing this while encfs is running. On the other hand, the volume key and most configuration options are fixed for the lifetime of the filesystem, so to change those requires migrating to a new filesystem as you suggested. Keep in mind that there are two keys involved. A password is turned into a user key, which is used to decipher a volume key. The volume key is used to encipher or decipher data. When doing key rotation, such as at a corporation where key rotation is required, you normally rotate the user key (by changing passwords), but not the volume key. Rotating a volume key is often infeasible due to the amount of data involved. The volume key can't be specified - it is generated by encfs (by OpenSSL actually) and is not directly visible to the user. It also isn't possible to directly provide user key bits, but it is possible to provide binary data to encfs in lieu of a password. See the --extpass option in the man page for details. regards, Valient On Sat, Sep 20, 2008 at 2:34 AM, John McNair <jo...@mc...> wrote: > Is there a way to handle key rotation seamlessly with EncFS? I need to > encrypt a directory that serves as a persistent queue for sensitive data. I > need to be able to rotate keys on a regular basis, and it would be nice to > be able to accomplish that without taking down the application(s) using the > directory. Note that I am specifically talking about rotation and not > revocation. I don't have to re-encrypt existing files upon rotation, but > new files should use a different key. This also implies that decryption > should be able to use multiple keys simultaneously if only for a short > period of time. > > I can see the workaround: > - stop application(s) that use encrypted directory > - create new encrypted directory with a different key > - copy old clear files to new encrypted location > - umount and rm/mv old directory > - mv new directory into place > - start application(s) again > > That solution involves downtime though. > > One other thing: Can EncFS accept keys generated by an external tool? > > -- > John McNair > jo...@mc... > |
