[dm-crypt] Passphrase protected key file?

Laurence Darby ldarby at tuffmail.com
Tue Jul 12 00:17:32 CEST 2011


My next question, what's the best way to have a passphrase protected key file?
Should I encrypt it with GPG, and then do eg:

 gpg -d ~/pass_key  | cryptsetup luksOpen --key-file - /dev/loop1 loop1

That has the advantage of using the same passphrase I use for
everything else, but is there any security risk I'm not seeing?  I read
that encrypting something twice or with multiple ciphers is effectively
a new unknown cipher, potentially trivially breakable - I don't think
that applies here, but is there anything like that I need to watch out for?

Alternatively, I could just do this:

( cat ~/pass_key ; cat ) | cryptsetup luksOpen --key-file - /dev/loop1 loop1

so I still have to provide both the key and passphrase, terminated with
Ctrl-D.  Any thoughts?


More information about the dm-crypt mailing list