[dm-crypt] Pass+keyfile

0x14 at unseen.is 0x14 at unseen.is
Tue Dec 2 20:16:43 CET 2014


Ok, if you don`t want to talk about "plausible deniability", let`s get 
back to security if you don`t mind :)

> Simpler solution: Use a very long passphrase, learn one part by
> heart and the other part not and have that on paper. The part
> on paper could, for example, be 50 random letters and digits.
> At least I could not remember that. In case of emergency, destroy
> the paper. (Make it edible for better convenience.) Use
> severall/all keyslots to make the paper-part harder to remember.

Why should I use papers for that? It is simpler in a way that you don`t 
need a computer to write down something. But as for security there are 
only disadvantages: paper wears (destruction is not or far less 
controllable as with digital storage), it is not resistant to water, it 
could be easily copied by attacker and not by you (if you don`t trust 
electronics)...and I don`t mention convenience like ability to carry as 
many keyfiles as I want without being looking strange, etc.

Also, for example, 1024 or 16k letters is far more better for security 
than 50+what_you_can_remember letters for passphrase...from 
"cryptographical perspective", please excuse my ignorance :)

> If you have a safe location, put all data there. You do not even
> need to encrypt in this case.

There is no such thing as perfect safe location, that`s why we use 
cryptography :-\
Far safe location could give you or your partner some time to undertake 
countermeasures. More time in many cases means more security, am I 
right?

>> 3. Attacker can attach a hidden camera behind me while I typing
>> password (or do similar approach) and then get a copy of encrypted
>> data (it is far easier than get full root access)
> 
> Oh? Just have the attacker look with the camera while you type
> in your root password...

Root password != full access right away. Also, they could "catch" one 
password and not other.

>> 4. After encrypting, I give single copy of keyfile to another person
>> (he is living in bunker in another country, of course). I know
>> passphrase, he owns keyfile, we can get to the data only if we meet
>> in person, for example.
>> ...
> 
> Do the same thing, but just one part data one part passphrase.
> The keyfile does not add anything.

I agree here :)


More information about the dm-crypt mailing list