[dm-crypt] Pass+keyfile

Arno Wagner arno at wagner.name
Mon Dec 1 13:49:59 CET 2014


This construction is redundant and does not provide any 
additional security as compared to passphrase alone, 
assuming that your passphrase is secure.

If your passphrase is insecure, you should fix that 
instead.

Arno




On Mon, Dec 01, 2014 at 03:54:19 CET, 0x14 at openmailbox.org wrote:
> Hi there, is this construction secure? Assuming "keyfile" is a file
> and "/dev/device" is a block device, both made with /dev/urandom.
> 
> cryptsetup open --hash=sha512 --cipher=aes-xts-plain64 --type=plain
> keyfile keyfile_tmp && cat /dev/mapper/keyfile_tmp | \
> cryptsetup open --hash=sha512 --cipher=aes-xts-plain64 --type=plain
> --key-file=- /dev/device cryptodevice && \
> cryptsetup close keyfile_tmp && mount /dev/mapper/cryptodevice
> /media/cryptodevice
> 
> The goal is to use pass+keyfile to decrypt storage. I put it in a
> script and it works as it should at a glance. Are there alternatives
> or improvements? Stupid errors maybe?
> 
> Thanks.
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list