[dm-crypt] Security concern: gpg keyfile vs passphrase

Sven Eschenberg sven at whgl.uni-frankfurt.de
Thu Jul 9 21:00:43 CEST 2015


It's a simple strategy to mitigate physical theft, if your 'key-material'
is on a moveable device. (while it is trivial to acquire a physical object
unnoticed it's much harder to acquire something from the brain of a person
unnoticed, I'd assume)

-Sven

On Tue, July 7, 2015 23:20, Arno Wagner wrote:
> I think a keyfile is only better if it resides in a different
> place than the LUKS header, i.e. is on an USB stick that gets
> removed or the like and can hence act as an extra factor.
>
> Crtypto-wise, if yoy use a high-entropy passphrase,see
> FAQ Item 5.1 at
>    https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions/
> ...I do not see any reason why using GnuPG to protect the
> passhrase would be any more secure.
>
> Arno
>
>
> On Tue, Jul 07, 2015 at 23:08:17 CEST, lyz wrote:
>> The keyfile will be stored in the /boot partition.
>>
>> My question is if it's in a cryptographic way more secure, like if gpg
>> encryption of a keyfile is more difficult to break rather than a
>> dm-crypt encryption of a device, therefore it's logical to use a keyfile
>> to encrypt the device and gpg to encrypt the keyfile.
>>
>> Thanks
>>
>> On 07/07/2015 10:52 PM, wintonian wrote:
>> > A quick guess,
>> >
>> > In this scenario you have the following:-
>> >
>> > A, something physical - i.e. a keyfile.
>> > plus
>> > B, something known - i.e. a pass phrase.
>> >
>> > Which equals something more secure
>> >
>> > I guess there might be more to it than that, but I assume that's part
>> of
>> > it.
>> >
>> > Regards
>> > Robert
>> >
>> > On 07/07/15 21:32, lyz wrote:
>> >> Hi all,
>> >>
>> >> I'm encrypting my whole system under LUKS, and I've seen that in the
>> >> wiki of Arch and Gentoo they suggest to use a keyfile and encrypt it
>> >> with gpg.
>> >>
>> >> Why is more secure to encrypt a keyfile with a passphrase and then
>> >> encrypt the device with the keyfile rather than encrypting the device
>> >> directly with the passphrase?
>> >>
>> >> Against a brute force attack the passphrase is the same, so they
>> should
>> >> be equally secure, am I wrong?
>> >>
>> >> Thank you
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> dm-crypt mailing list
>> >> dm-crypt at saout.de
>> >> http://www.saout.de/mailman/listinfo/dm-crypt
>> >>
>> >
>>
>
>
>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt at saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>
>
> --
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D
> 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
>
> If it's in the news, don't worry about it.  The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>




More information about the dm-crypt mailing list