1 |
Pupeno wrote: |
2 |
|
3 |
>>I use the dm-crypt from the kernel.... |
4 |
>> |
5 |
>> |
6 |
>I've read that it is unsecure and I also read that it is not yet vory well |
7 |
>suported. |
8 |
> |
9 |
> |
10 |
|
11 |
Dm-crypt is fairly well supported, since it is in the kernel, but I find |
12 |
it to be harder to setup and less 'flexible' than loop-AES (the changing |
13 |
passphrase thing, for example). |
14 |
|
15 |
It provides rougly the equivalent security as loop-AES in "single-key" |
16 |
mode (where a single key is used to encrypt every block). loop-AES also |
17 |
supports multi-key mode, where 64 different keys are used to encrypt the |
18 |
blocks. Multi-key makes certain kinds of attacks (specifically, |
19 |
watermark) more difficult, but is slower. |
20 |
|
21 |
However, I seem to recall reading somewhere in the last couple of weeks |
22 |
that dm-crypt was also getting multi-key support...maybe in the |
23 |
mm-kernel, or for 2.6.13... |
24 |
|
25 |
Now, I doubt that most people actually _need_ the extra security of |
26 |
multi-key encryption. Personally I run loop-AES in single-key mode |
27 |
because it is faster than multi-key. Plus someone willing to go through |
28 |
the effort of cracking multi-key encryption would find it much easier to |
29 |
simply make a credible physical threat, and I will happily give them my |
30 |
password!! :-) |
31 |
|
32 |
>I know I don't need a key, but I do want a key (stored in a remobable modia) |
33 |
>encripted with a passphrase I will be able to change, or best, my wife can |
34 |
>have the key protected with a different passphrase than I do. |
35 |
>Beyond that, encripting with a key is much better than doing that with a |
36 |
>passphrase because the passphrase can be cracked (dictionary attack) while |
37 |
>the key-encripted that can't. |
38 |
> |
39 |
> |
40 |
|
41 |
Well, technically, anything can be cracked given enough time and |
42 |
computing power. |
43 |
|
44 |
For using different passwords, this is possible. You would need to |
45 |
encrypt the same key file with gpg to two different .gpg files....your |
46 |
wife can use one, and you can use the other. If the key files are |
47 |
stored on separate pieces of removable media, then you each have your |
48 |
own "keys" to the system. |
49 |
|
50 |
-Richard |
51 |
|
52 |
-- |
53 |
gentoo-user@g.o mailing list |