1 |
Am 18.05.2010 19:57, schrieb Jan Engelhardt: |
2 |
|
3 |
>> But given the fact that I store the key on the same hard-disk with the |
4 |
>> shadowed user-pw I could also leave that openssl-part straight away, |
5 |
>> correct?? seems the same level of (in)security to me ... |
6 |
> |
7 |
> Yes. The point of keyfiles is to be able to change the password on |
8 |
> a volume. |
9 |
> |
10 |
> Without a keyfile, a crypto program would take the password, hash it |
11 |
> somehow, and you get your AES key. Changing the password means having |
12 |
> a different AES key, meaning decrypting the disk will yield a |
13 |
> different result. In other words, changing the password would require |
14 |
> at least reading the old data, reencrypting it and writing it again. |
15 |
> Takes time. |
16 |
> |
17 |
> With a keyfile, you retain the same AES key all the time, and encrypt |
18 |
> the AES key itself - reencrypting the AES key is quick, as it's |
19 |
> only some xyz bits, not terabytes. |
20 |
|
21 |
Ok, I see. So my current setup with one disk only and SSL-generated |
22 |
keyfile does not add security but flexibility (being able to switch |
23 |
passwords more quickly). |
24 |
|
25 |
Do you see a way of getting this working with my current packages: |
26 |
|
27 |
pam_mount-2.1 |
28 |
sys-fs/cryptsetup-1.1.1_rc2 |
29 |
|
30 |
and LUKS ... ? |
31 |
|
32 |
As mentioned the old keyfile works with pam_mount-1.33, when I check the |
33 |
changelog at |
34 |
|
35 |
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-auth/pam_mount/ChangeLog?view=markup |
36 |
|
37 |
this is a package from 10 Jan 2010, so maybe it wouldn't be too risky to |
38 |
just mask >pam_mount-1.33 |
39 |
|
40 |
- |
41 |
|
42 |
On the other hand I would like to get that done right, sure. |
43 |
|
44 |
Any howto without pmt-ehd that would keep me safe from newlines etc |
45 |
(btw. there were NO newlines in that hexdump-output)? |
46 |
|
47 |
Thanks for your time, Stefan |