| 1 |
Sebastian Wiesner wrote: |
| 2 |
> 7v5w7go9ub0o <7v5w7go9ub0o@×××××.com> at Friday 27 June 2008, 05:41:15 |
| 3 |
>> Chris Walters wrote: |
| 4 |
>>> -----BEGIN PGP SIGNED MESSAGE----- |
| 5 |
>>> Hash: SHA512 |
| 6 |
>>> |
| 7 |
>>> Sorry if this subject has been hashed and rehashed again, but I was |
| 8 |
>>> wondering |
| 9 |
>>> which Gentoo partition encryption scheme is considered the best, in |
| 10 |
>>> terms of: |
| 11 |
>>> |
| 12 |
>>> 1. Security |
| 13 |
>> "....Another thing: If I remember correctly, LUKS keeps the actual key |
| 14 |
>> on the encrypted disk, itself encrypted with a passphrase. Naturally |
| 15 |
>> this means that an attacker only has to break the passphrase, which gets |
| 16 |
>> him the key" |
| 17 |
> |
| 18 |
> Naturally ... if the user wants to use passphrases, the key needs to be |
| 19 |
> related to the passphrase somehow, whether by it being derived from the |
| 20 |
> passphrase through hashing or it being encrypted with a second key, that is |
| 21 |
> derived from the passphrase. |
| 22 |
> |
| 23 |
> But a decent hard disk encrpytion system should be able to store the key |
| 24 |
> file on a USB stick or on a smart card. Beside a increased security, |
| 25 |
> because there is weak passphrase, it provides increased comfort: You don't |
| 26 |
> have to enter a silly passphrase on every boot ;) |
| 27 |
> |
| 28 |
|
| 29 |
Yes. |
| 30 |
|
| 31 |
But If I understand his comment, the LUKS standard requires a copy to be |
| 32 |
stored on the HD - even if using the more secure dongle - and keeping a |
| 33 |
passphrase-encrypted copy on the HD permanently renders the HD integrity |
| 34 |
compromised. |
| 35 |
|
| 36 |
ISTM the better way to use a passphrase would be to passphrase-encrypt |
| 37 |
the encryption key and store it somewhere on a boot sector. On the boot |
| 38 |
sector - but not within the encrypted disk - as having it on the disk |
| 39 |
weakens the disk integrity. If you later acquire a USB, you simply |
| 40 |
transfer the whole encryption key to the USB and remove the passphrase |
| 41 |
obscuration programs from the boot sector. |
| 42 |
|
| 43 |
So IIUC the question becomes, can one configure LUKS to NOT keep a copy |
| 44 |
of the passphrase-protected encryption key on the HD (or is keeping it |
| 45 |
there part of the LUKS "standard")? |
| 46 |
|
| 47 |
-- |
| 48 |
gentoo-user@l.g.o mailing list |
Archives