[dm-crypt] Pass+keyfile

0x14 at unseen.is 0x14 at unseen.is
Mon Dec 1 18:37:16 CET 2014


> And now do a scenario where an attacke has the passphrase, but
> not root access and not the keyfile. There are not many
> possibilities for that to happen and most are unrealistic.

1. I know about attacker and destroyed keyfile before attacker gets copy 
of it. That is the most important thing I can think of when using 
encrypted keyfile.
2. I have keyfile in a safe in far location (in bunker in another 
country, maybe), while me and my mixed (encrypted and unencrypted) data 
is always with me. Or vice-versa.
3. Attacker can attach a hidden camera behind me while I typing password 
(or do similar approach) and then get a copy of encrypted data (it is 
far easier than get full root access)
4. After encrypting, I give single copy of keyfile to another person (he 
is living in bunker in another country, of course). I know passphrase, 
he owns keyfile, we can get to the data only if we meet in person, for 
example.
...

> No. The SD card is a lot _harder_ to destroy than the LUKS header.
> The LUKS header is gone after a single overwrite of 2MiB of data.
> The SD card needs very careful physical destruction.

I said microsd card. Scissors will definitely destroy data in a few 
secs, you can destroy it even with your teeth, with a lighter maybe. 
While destroying LUKS header demands working computer and knowing what 
you are doing (you might prepare a script for that though). Even if you 
have a drill or a hammer, destroying hard drive with it to unrecoverable 
state is harder than destroying sd or microsd card or even flash drive.

BTW, why do you say it is hard to destroy SD card? I always thought even 
small physical damage on crystal makes data on this crystal practically 
unrecoverable.

P.S. I could accidentally replied to Arno`s email and not this maillist, 
will be more careful next time.


More information about the dm-crypt mailing list