| 1 |
Pupeno wrote: |
| 2 |
|
| 3 |
>>I use the dm-crypt from the kernel.... |
| 4 |
>> |
| 5 |
>> |
| 6 |
>I've read that it is unsecure and I also read that it is not yet vory well |
| 7 |
>suported. |
| 8 |
> |
| 9 |
> |
| 10 |
|
| 11 |
Dm-crypt is fairly well supported, since it is in the kernel, but I find |
| 12 |
it to be harder to setup and less 'flexible' than loop-AES (the changing |
| 13 |
passphrase thing, for example). |
| 14 |
|
| 15 |
It provides rougly the equivalent security as loop-AES in "single-key" |
| 16 |
mode (where a single key is used to encrypt every block). loop-AES also |
| 17 |
supports multi-key mode, where 64 different keys are used to encrypt the |
| 18 |
blocks. Multi-key makes certain kinds of attacks (specifically, |
| 19 |
watermark) more difficult, but is slower. |
| 20 |
|
| 21 |
However, I seem to recall reading somewhere in the last couple of weeks |
| 22 |
that dm-crypt was also getting multi-key support...maybe in the |
| 23 |
mm-kernel, or for 2.6.13... |
| 24 |
|
| 25 |
Now, I doubt that most people actually _need_ the extra security of |
| 26 |
multi-key encryption. Personally I run loop-AES in single-key mode |
| 27 |
because it is faster than multi-key. Plus someone willing to go through |
| 28 |
the effort of cracking multi-key encryption would find it much easier to |
| 29 |
simply make a credible physical threat, and I will happily give them my |
| 30 |
password!! :-) |
| 31 |
|
| 32 |
>I know I don't need a key, but I do want a key (stored in a remobable modia) |
| 33 |
>encripted with a passphrase I will be able to change, or best, my wife can |
| 34 |
>have the key protected with a different passphrase than I do. |
| 35 |
>Beyond that, encripting with a key is much better than doing that with a |
| 36 |
>passphrase because the passphrase can be cracked (dictionary attack) while |
| 37 |
>the key-encripted that can't. |
| 38 |
> |
| 39 |
> |
| 40 |
|
| 41 |
Well, technically, anything can be cracked given enough time and |
| 42 |
computing power. |
| 43 |
|
| 44 |
For using different passwords, this is possible. You would need to |
| 45 |
encrypt the same key file with gpg to two different .gpg files....your |
| 46 |
wife can use one, and you can use the other. If the key files are |
| 47 |
stored on separate pieces of removable media, then you each have your |
| 48 |
own "keys" to the system. |
| 49 |
|
| 50 |
-Richard |
| 51 |
|
| 52 |
-- |
| 53 |
gentoo-user@g.o mailing list |
Archives