I am writing a Chef LWRP to add a key to a LUKS container and I'm having difficulty coming up with a way to determine whether or not my key already exists. cryptsetup luksAddKey
will happily add the same keyfile multiple times, so I can't simply keep calling luksAddKey
each Chef run.
So far, the best that I have come up with is
cryptsetup luksDump /dev/xvdf1 --dump-master-key --key-file <thenewkey> > /dev/null
That seems:
- CPU intensive
- not very secure
Anyone have a better idea?
Thanks!