1 |
Sebastian Wiesner wrote: |
2 |
> 7v5w7go9ub0o <7v5w7go9ub0o@×××××.com> at Friday 27 June 2008, 05:41:15 |
3 |
>> Chris Walters wrote: |
4 |
>>> -----BEGIN PGP SIGNED MESSAGE----- |
5 |
>>> Hash: SHA512 |
6 |
>>> |
7 |
>>> Sorry if this subject has been hashed and rehashed again, but I was |
8 |
>>> wondering |
9 |
>>> which Gentoo partition encryption scheme is considered the best, in |
10 |
>>> terms of: |
11 |
>>> |
12 |
>>> 1. Security |
13 |
>> "....Another thing: If I remember correctly, LUKS keeps the actual key |
14 |
>> on the encrypted disk, itself encrypted with a passphrase. Naturally |
15 |
>> this means that an attacker only has to break the passphrase, which gets |
16 |
>> him the key" |
17 |
> |
18 |
> Naturally ... if the user wants to use passphrases, the key needs to be |
19 |
> related to the passphrase somehow, whether by it being derived from the |
20 |
> passphrase through hashing or it being encrypted with a second key, that is |
21 |
> derived from the passphrase. |
22 |
> |
23 |
> But a decent hard disk encrpytion system should be able to store the key |
24 |
> file on a USB stick or on a smart card. Beside a increased security, |
25 |
> because there is weak passphrase, it provides increased comfort: You don't |
26 |
> have to enter a silly passphrase on every boot ;) |
27 |
> |
28 |
|
29 |
Yes. |
30 |
|
31 |
But If I understand his comment, the LUKS standard requires a copy to be |
32 |
stored on the HD - even if using the more secure dongle - and keeping a |
33 |
passphrase-encrypted copy on the HD permanently renders the HD integrity |
34 |
compromised. |
35 |
|
36 |
ISTM the better way to use a passphrase would be to passphrase-encrypt |
37 |
the encryption key and store it somewhere on a boot sector. On the boot |
38 |
sector - but not within the encrypted disk - as having it on the disk |
39 |
weakens the disk integrity. If you later acquire a USB, you simply |
40 |
transfer the whole encryption key to the USB and remove the passphrase |
41 |
obscuration programs from the boot sector. |
42 |
|
43 |
So IIUC the question becomes, can one configure LUKS to NOT keep a copy |
44 |
of the passphrase-protected encryption key on the HD (or is keeping it |
45 |
there part of the LUKS "standard")? |
46 |
|
47 |
-- |
48 |
gentoo-user@l.g.o mailing list |