We recently developed Arver for LUKS – a distributed key manager with benefits!

If you want to use it too check out arver at codecoop.

It is not just another tool to conviniently store passwords for LUKS. No, it is a shiny monkeywrench for all sorts of challenges you face when administrating more than one server with encrypted harddrives. Plus it even enhances LUKS security in several ways.

But let me prove this by giving some examples:

shared passwords no more

Shared passwords are arguably one of the worst threats to your environment. They are hard to change, hard to revoke, hard to keep safe and tend to be simpler than advised. With arver every admin has its own gpg-key that is used to grant him access to the LUKS disks. Moreover access can be granted on a per-device basis!

Lets assume i created a new LUKS partition and want to grant bob access to it: ‘arver –add-user bob a_server/a_disk’ will assign a new passphrase to a_disk on a_server and store it encrypted with bob’s public gpg-key as arver-key. Bob can then use this arver-key to open a_disk. No need to communicate any password in plaintext!

mind the rubberhose

Well what would Alice do if Bob made her aware that he might be under pressure to release any internal data. She would just execute ‘arver –del-user bob ALL’

And even if she didn’t do this Bob could always claim that he doesn’t have access to a particular disk since his arver-key doesn’t reveal for which disks it is.

more uptime

Arver lets you automate all tasks surrounding LUKS managemant. It has script hooks for pre-/post open/close. Imagine you had a power outtake in a_colo. With the right setup it should be enough to: ‘arver –open a_colo’.

This will loop over all hosts at a_colo, e.g. first executing pre_open scripts on a disk-basis that create a loop-device. Then post-open scripts on a host-hasis to start all virtual servers that were waiting for a LUKS disk to be opened.

interested?

If you’d like to know more about Arver we recommend reading the man page, look at this confusing diagram or download arver directly as gem.