Hmmmm, For some reason, I didn't get Michael's email. I see him being quoted but don't have his original. I wonder what is up with that. O-o
Rich Freeman wrote: > On Tue, Sep 19, 2023 at 4:26 AM Michael <confabul...@kintzios.com> wrote: >> On Tuesday, 19 September 2023 06:36:13 BST Dale wrote: >>> Howdy, >>> >> A strong >> password, like a strong door lock, buys you time. Hence the general >> recommendation to change your passwords frequently. > While that can help on websites, it is of no use for full disk > encryption passwords - at least not without jumping through some big > hoops. > > In order to crack your LUKS password somebody obviously needs to be > able to read the encrypted contents of your disk. They cannot begin > cracking it until they have a copy of the LUKS headers. However, once > they do have it, they can make a copy and crack it at their leisure. > If they manage to crack it, then it will give them the volume key. At > that point if they were able to make a full copy of your disk they can > read whatever was on it at the time. If they can make a fresh copy of > your disk then changing the passphrase will not change the volume key, > and so they'll be able to read what is currently on your disk. > > Changing the volume key would defeat this, but requires running > cryptsetup-reencrypt which will take considerable time/CPU, though it > sounds like it can be done online. > Let's jump into a hypothetical here. Let's say I'm a nasty terrorist or some other really evil dude. Let's say I have passwords are that really good. Let's say around 20 characters and a really nice mix of characters. If some gov't agency got my hard drive, how long would it take for them to crack it? I know when Snowden released all that info, there was some changes to encryption. Still, do they have the ability to crack them without much trouble? Is there something better to use than what I'm using now? I might add, when I configured my three drive setup, I sort of did it a different way. I still used cryptsetup but I used it later in the process. I also made sure to put the luks bit in. That way I can change passwords if needed. I found a new howto and it seems to end the same way but it's done in layers. Luks first and then encryption but different somehow. Mostly, I can change passwords on it. I don't really get the whole thing, yet. If I read it enough, my light bulb will come on. o_O > >>> Also, I use cryptsetup luksFormat -s 512 ... to encrypt things. Is >>> that 512 a good number? Can it be something different? I'd think since >>> it is needed as a option, it can have different values and encrypt >>> stronger or weaker. Is that the case? I've tried to find out but it >>> seems everyone uses 512. If that is the only value, why make it a >>> option? I figure it can have other values but how does that work? > You can use a different size, but 512b is the recommended value for > the default cipher. It is also the default I believe, so there isn't > much point in passing it. Actually, I'd consider passing that > parameter harmful unless you also specify the cipher. If in the > future the default changes to some other cipher, perhaps 512b will no > longer be appropriate, and you'll weaken it by specifying one and not > the other. > > If you just want to trust the defaults, then trust the defaults. > > As to why 512b is the recommendation, that seems like it would require > a LOT more reading. Apparently it is in an IEEE standard and I'd need > to grok a lot more crypto to appreciate it. > Well, I was wondering if it could be set to 1024 and it make the encryption stronger or something. I've searched but no one explains what that number really does other than set something. Since that is the default, I guess I can leave that out of my command. Save me some typing. Anyway, 512 it is. Dale :-) :-)
