Sebastian Wiesner wrote:
7v5w7go9ub0o <[EMAIL PROTECTED]> at Friday 27 June 2008, 05:41:15
Chris Walters wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Sorry if this subject has been hashed and rehashed again, but I was
wondering
which Gentoo partition encryption scheme is considered the best, in
terms of:
1. Security
"....Another thing: If I remember correctly, LUKS keeps the actual key
on the encrypted disk, itself encrypted with a passphrase. Naturally
this means that an attacker only has to break the passphrase, which gets
him the key"
Naturally ... if the user wants to use passphrases, the key needs to be
related to the passphrase somehow, whether by it being derived from the
passphrase through hashing or it being encrypted with a second key, that is
derived from the passphrase.
But a decent hard disk encrpytion system should be able to store the key
file on a USB stick or on a smart card. Beside a increased security,
because there is weak passphrase, it provides increased comfort: You don't
have to enter a silly passphrase on every boot ;)
Yes.
But If I understand his comment, the LUKS standard requires a copy to be
stored on the HD - even if using the more secure dongle - and keeping a
passphrase-encrypted copy on the HD permanently renders the HD integrity
compromised.
ISTM the better way to use a passphrase would be to passphrase-encrypt
the encryption key and store it somewhere on a boot sector. On the boot
sector - but not within the encrypted disk - as having it on the disk
weakens the disk integrity. If you later acquire a USB, you simply
transfer the whole encryption key to the USB and remove the passphrase
obscuration programs from the boot sector.
So IIUC the question becomes, can one configure LUKS to NOT keep a copy
of the passphrase-protected encryption key on the HD (or is keeping it
there part of the LUKS "standard")?
--
gentoo-user@lists.gentoo.org mailing list
