[dm-crypt] Passphrase protected key file?

Arno Wagner arno at wagner.name
Thu Jul 14 15:35:33 CEST 2011

On Thu, Jul 14, 2011 at 01:55:50PM +0200, Ma Begaj wrote:
> > Also note that an attacker that has access to the storage could
> > patch your GnuPG binary or other system components.
> well that is an another story because an attacker could in that case patch
> cryptsetup too. if s/he can do that it is not important whether you
> use encrypted
> key file on usb stick or directly cryptsetup.

Indeed. But are there any realistic scenarios where 

a) a passphrase is signifiacntly less secure than an encrypted 
   passphrase stored on USB with a second pasphrase to decrypt that


b) the attacker does not have the possibility to patch
   GnuPG/cryptup/other things that make the second passphrase
   just as weak as the first one?

My claim is that a realistic risk analysis will show there
are no such scenarios that are typical and hence having 
an encrypted passphrase on an USB stick does not offer
improved security.

Remember, IT security is pure risk managements, possibly
with IT means.

Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

More information about the dm-crypt mailing list