[dm-crypt] Pass+keyfile

0x14 at unseen.is 0x14 at unseen.is
Mon Dec 1 15:54:45 CET 2014


> This construction is redundant and does not provide any
> additional security as compared to passphrase alone,
> assuming that your passphrase is secure.

Additional security, as I see it, will be:

1. If you have knowledge about encrypted device, you need to not only 
know the passphrase, but also have the keyfile (have physical access to 
it). Some sort of 2-FA
2. Separate keyfile may be easier to physical destruction, it may be 
crucial when you are in hurry to do that - small microsd card with 
keyfile VS encrypted harddrive. If I get it right, bigger encrypted 
containers in plain mode are harder to destroy also.

Isn`t it somehow comparable to having LUKS header on separate device 
(--header option)?

Am I wrong?

Thanks for patience in advance :)

P.S. Writing form another mail, sorry for possible confusion.


More information about the dm-crypt mailing list