* [dm-crypt] Security concern: gpg keyfile vs passphrase
@ 2015-07-07 20:32 lyz
2015-07-07 21:00 ` wintonian
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: lyz @ 2015-07-07 20:32 UTC (permalink / raw)
To: dm-crypt
[-- Attachment #1: Type: text/plain, Size: 458 bytes --]
Hi all,
I'm encrypting my whole system under LUKS, and I've seen that in the
wiki of Arch and Gentoo they suggest to use a keyfile and encrypt it
with gpg.
Why is more secure to encrypt a keyfile with a passphrase and then
encrypt the device with the keyfile rather than encrypting the device
directly with the passphrase?
Against a brute force attack the passphrase is the same, so they should
be equally secure, am I wrong?
Thank you
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dm-crypt] Security concern: gpg keyfile vs passphrase
2015-07-07 20:32 [dm-crypt] Security concern: gpg keyfile vs passphrase lyz
@ 2015-07-07 21:00 ` wintonian
[not found] ` <559C3C05.9040701@wintonian.org.uk>
2015-07-08 3:00 ` David Christensen
2 siblings, 0 replies; 6+ messages in thread
From: wintonian @ 2015-07-07 21:00 UTC (permalink / raw)
To: dm-crypt
(replying to the list rather than the individual might be a better idea)
A quick guess,
In this scenario you have the following:-
A, something physical - i.e. a keyfile.
plus
B, something known - i.e. a pass phrase.
Which equals something more secure
I guess there might be more to it than that, but I assume that's part of it.
Regards
Robert
On 07/07/15 21:32, lyz wrote:
> Hi all,
>
> I'm encrypting my whole system under LUKS, and I've seen that in the
> wiki of Arch and Gentoo they suggest to use a keyfile and encrypt it
> with gpg.
>
> Why is more secure to encrypt a keyfile with a passphrase and then
> encrypt the device with the keyfile rather than encrypting the device
> directly with the passphrase?
>
> Against a brute force attack the passphrase is the same, so they should
> be equally secure, am I wrong?
>
> Thank you
>
>
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dm-crypt] Security concern: gpg keyfile vs passphrase
[not found] ` <559C3C05.9040701@wintonian.org.uk>
@ 2015-07-07 21:08 ` lyz
2015-07-07 21:20 ` Arno Wagner
0 siblings, 1 reply; 6+ messages in thread
From: lyz @ 2015-07-07 21:08 UTC (permalink / raw)
To: wintonian, dm-crypt
[-- Attachment #1: Type: text/plain, Size: 1400 bytes --]
The keyfile will be stored in the /boot partition.
My question is if it's in a cryptographic way more secure, like if gpg
encryption of a keyfile is more difficult to break rather than a
dm-crypt encryption of a device, therefore it's logical to use a keyfile
to encrypt the device and gpg to encrypt the keyfile.
Thanks
On 07/07/2015 10:52 PM, wintonian wrote:
> A quick guess,
>
> In this scenario you have the following:-
>
> A, something physical - i.e. a keyfile.
> plus
> B, something known - i.e. a pass phrase.
>
> Which equals something more secure
>
> I guess there might be more to it than that, but I assume that's part of
> it.
>
> Regards
> Robert
>
> On 07/07/15 21:32, lyz wrote:
>> Hi all,
>>
>> I'm encrypting my whole system under LUKS, and I've seen that in the
>> wiki of Arch and Gentoo they suggest to use a keyfile and encrypt it
>> with gpg.
>>
>> Why is more secure to encrypt a keyfile with a passphrase and then
>> encrypt the device with the keyfile rather than encrypting the device
>> directly with the passphrase?
>>
>> Against a brute force attack the passphrase is the same, so they should
>> be equally secure, am I wrong?
>>
>> Thank you
>>
>>
>>
>>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>>
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dm-crypt] Security concern: gpg keyfile vs passphrase
2015-07-07 21:08 ` lyz
@ 2015-07-07 21:20 ` Arno Wagner
2015-07-09 19:00 ` Sven Eschenberg
0 siblings, 1 reply; 6+ messages in thread
From: Arno Wagner @ 2015-07-07 21:20 UTC (permalink / raw)
To: dm-crypt
I think a keyfile is only better if it resides in a different
place than the LUKS header, i.e. is on an USB stick that gets
removed or the like and can hence act as an extra factor.
Crtypto-wise, if yoy use a high-entropy passphrase,see
FAQ Item 5.1 at
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions/
...I do not see any reason why using GnuPG to protect the
passhrase would be any more secure.
Arno
On Tue, Jul 07, 2015 at 23:08:17 CEST, lyz wrote:
> The keyfile will be stored in the /boot partition.
>
> My question is if it's in a cryptographic way more secure, like if gpg
> encryption of a keyfile is more difficult to break rather than a
> dm-crypt encryption of a device, therefore it's logical to use a keyfile
> to encrypt the device and gpg to encrypt the keyfile.
>
> Thanks
>
> On 07/07/2015 10:52 PM, wintonian wrote:
> > A quick guess,
> >
> > In this scenario you have the following:-
> >
> > A, something physical - i.e. a keyfile.
> > plus
> > B, something known - i.e. a pass phrase.
> >
> > Which equals something more secure
> >
> > I guess there might be more to it than that, but I assume that's part of
> > it.
> >
> > Regards
> > Robert
> >
> > On 07/07/15 21:32, lyz wrote:
> >> Hi all,
> >>
> >> I'm encrypting my whole system under LUKS, and I've seen that in the
> >> wiki of Arch and Gentoo they suggest to use a keyfile and encrypt it
> >> with gpg.
> >>
> >> Why is more secure to encrypt a keyfile with a passphrase and then
> >> encrypt the device with the keyfile rather than encrypting the device
> >> directly with the passphrase?
> >>
> >> Against a brute force attack the passphrase is the same, so they should
> >> be equally secure, am I wrong?
> >>
> >> Thank you
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> dm-crypt mailing list
> >> dm-crypt@saout.de
> >> http://www.saout.de/mailman/listinfo/dm-crypt
> >>
> >
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dm-crypt] Security concern: gpg keyfile vs passphrase
2015-07-07 20:32 [dm-crypt] Security concern: gpg keyfile vs passphrase lyz
2015-07-07 21:00 ` wintonian
[not found] ` <559C3C05.9040701@wintonian.org.uk>
@ 2015-07-08 3:00 ` David Christensen
2 siblings, 0 replies; 6+ messages in thread
From: David Christensen @ 2015-07-08 3:00 UTC (permalink / raw)
To: dm-crypt
On 07/07/2015 01:32 PM, lyz wrote:
> I'm encrypting my whole system under LUKS, and I've seen that in the
> wiki of Arch and Gentoo they suggest to use a keyfile and encrypt it
> with gpg.
What are the URL's?
David
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dm-crypt] Security concern: gpg keyfile vs passphrase
2015-07-07 21:20 ` Arno Wagner
@ 2015-07-09 19:00 ` Sven Eschenberg
0 siblings, 0 replies; 6+ messages in thread
From: Sven Eschenberg @ 2015-07-09 19:00 UTC (permalink / raw)
To: dm-crypt
It's a simple strategy to mitigate physical theft, if your 'key-material'
is on a moveable device. (while it is trivial to acquire a physical object
unnoticed it's much harder to acquire something from the brain of a person
unnoticed, I'd assume)
-Sven
On Tue, July 7, 2015 23:20, Arno Wagner wrote:
> I think a keyfile is only better if it resides in a different
> place than the LUKS header, i.e. is on an USB stick that gets
> removed or the like and can hence act as an extra factor.
>
> Crtypto-wise, if yoy use a high-entropy passphrase,see
> FAQ Item 5.1 at
> https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions/
> ...I do not see any reason why using GnuPG to protect the
> passhrase would be any more secure.
>
> Arno
>
>
> On Tue, Jul 07, 2015 at 23:08:17 CEST, lyz wrote:
>> The keyfile will be stored in the /boot partition.
>>
>> My question is if it's in a cryptographic way more secure, like if gpg
>> encryption of a keyfile is more difficult to break rather than a
>> dm-crypt encryption of a device, therefore it's logical to use a keyfile
>> to encrypt the device and gpg to encrypt the keyfile.
>>
>> Thanks
>>
>> On 07/07/2015 10:52 PM, wintonian wrote:
>> > A quick guess,
>> >
>> > In this scenario you have the following:-
>> >
>> > A, something physical - i.e. a keyfile.
>> > plus
>> > B, something known - i.e. a pass phrase.
>> >
>> > Which equals something more secure
>> >
>> > I guess there might be more to it than that, but I assume that's part
>> of
>> > it.
>> >
>> > Regards
>> > Robert
>> >
>> > On 07/07/15 21:32, lyz wrote:
>> >> Hi all,
>> >>
>> >> I'm encrypting my whole system under LUKS, and I've seen that in the
>> >> wiki of Arch and Gentoo they suggest to use a keyfile and encrypt it
>> >> with gpg.
>> >>
>> >> Why is more secure to encrypt a keyfile with a passphrase and then
>> >> encrypt the device with the keyfile rather than encrypting the device
>> >> directly with the passphrase?
>> >>
>> >> Against a brute force attack the passphrase is the same, so they
>> should
>> >> be equally secure, am I wrong?
>> >>
>> >> Thank you
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> dm-crypt mailing list
>> >> dm-crypt@saout.de
>> >> http://www.saout.de/mailman/listinfo/dm-crypt
>> >>
>> >
>>
>
>
>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>
>
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
> GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D
> 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
>
> If it's in the news, don't worry about it. The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-07-09 19:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-07-07 20:32 [dm-crypt] Security concern: gpg keyfile vs passphrase lyz
2015-07-07 21:00 ` wintonian
[not found] ` <559C3C05.9040701@wintonian.org.uk>
2015-07-07 21:08 ` lyz
2015-07-07 21:20 ` Arno Wagner
2015-07-09 19:00 ` Sven Eschenberg
2015-07-08 3:00 ` David Christensen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.