Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: "Stefan G. Weichinger" <lists@×××××.at>
To: Jan Engelhardt <jengelh@×××××××.de>
Cc: gentoo-user@l.g.o, Daniel Troeder <daniel@×××××××××.com>, walt <w41ter@×××××.com>, Florian Philipp <lists@××××××××××××××××××.net>, Jason Dusek <jason.dusek@×××××.com>, Till Maas <opensource@××××.name>, hanno@g.o
Subject: [gentoo-user] Re: Kernel upgrade and now LUKS failure
Date: Tue, 18 May 2010 18:59:09
Message-Id: 4BF2E336.8030106@xunil.at
In Reply to: [gentoo-user] Re: Kernel upgrade and now LUKS failure by Jan Engelhardt
1 Am 18.05.2010 19:57, schrieb Jan Engelhardt:
2
3 >> But given the fact that I store the key on the same hard-disk with the
4 >> shadowed user-pw I could also leave that openssl-part straight away,
5 >> correct?? seems the same level of (in)security to me ...
6 >
7 > Yes. The point of keyfiles is to be able to change the password on
8 > a volume.
9 >
10 > Without a keyfile, a crypto program would take the password, hash it
11 > somehow, and you get your AES key. Changing the password means having
12 > a different AES key, meaning decrypting the disk will yield a
13 > different result. In other words, changing the password would require
14 > at least reading the old data, reencrypting it and writing it again.
15 > Takes time.
16 >
17 > With a keyfile, you retain the same AES key all the time, and encrypt
18 > the AES key itself - reencrypting the AES key is quick, as it's
19 > only some xyz bits, not terabytes.
20
21 Ok, I see. So my current setup with one disk only and SSL-generated
22 keyfile does not add security but flexibility (being able to switch
23 passwords more quickly).
24
25 Do you see a way of getting this working with my current packages:
26
27 pam_mount-2.1
28 sys-fs/cryptsetup-1.1.1_rc2
29
30 and LUKS ... ?
31
32 As mentioned the old keyfile works with pam_mount-1.33, when I check the
33 changelog at
34
35 http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-auth/pam_mount/ChangeLog?view=markup
36
37 this is a package from 10 Jan 2010, so maybe it wouldn't be too risky to
38 just mask >pam_mount-1.33
39
40 -
41
42 On the other hand I would like to get that done right, sure.
43
44 Any howto without pmt-ehd that would keep me safe from newlines etc
45 (btw. there were NO newlines in that hexdump-output)?
46
47 Thanks for your time, Stefan

Replies

Subject Author
Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure "Stefan G. Weichinger" <lists@×××××.at>
Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure Eray Aslan <eray.aslan@×××××××.tr>
Report Message
Find on MARC Find on Google Groups