* [dm-crypt] length of keyfiles @ 2021-01-06 9:17 Felix Rubio 2021-01-06 10:47 ` Arno Wagner 0 siblings, 1 reply; 5+ messages in thread From: Felix Rubio @ 2021-01-06 9:17 UTC (permalink / raw) To: dm-crypt Hi everybody, I have seen that keyfiles can be used in cryptsetup up to 8 kB, but internally the master key is 512 bits at max. Is there any recommendation / increased security by using a random sequence of 8 kB w.r.t., let's say, one of just 64 bytes? I understand that using one of 8kB will require more time than one of 64 B when unlocking the volume, but... is the former really that much more secure than the latter? Regards! Felix _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] length of keyfiles 2021-01-06 9:17 [dm-crypt] length of keyfiles Felix Rubio @ 2021-01-06 10:47 ` Arno Wagner 2021-01-06 11:08 ` Felix Rubio 0 siblings, 1 reply; 5+ messages in thread From: Arno Wagner @ 2021-01-06 10:47 UTC (permalink / raw) To: dm-crypt Hi Felix, I assume we are talking LUKS here, plain mode is different. The longer length is both convenience and helps if you use low-entropy input. The keyfile does not actually hold a key (LUKS mode), but a passphrase. Passphrases get hashed, and once you have maximum entropy, you cannot get more. I would need to look up what length is actually used, but it does not depend on the lenght of the encryption key. That one is stored in the anti-forensic stripes, protected with the hash from that passphrase. So, to make this short, if you use LUKS with a keyfile, putting in more entropy than used is meaningless. If your random data is from /dev/random or (properly initialized) /dev/urandom, 64 bytes are more than enough. Also, the differences between an 8kB passphrase and a 64B one in execution time should not be noticeable at all. Unless you read it from floppy disk ;-) Regards, Arno On Wed, Jan 06, 2021 at 10:17:22 CET, Felix Rubio wrote: > Hi everybody, > > I have seen that keyfiles can be used in cryptsetup up to 8 kB, but > internally the master key is 512 bits at max. Is there any recommendation > / increased security by using a random sequence of 8 kB w.r.t., let's say, > one of just 64 bytes? > > I understand that using one of 8kB will require more time than one of 64 B > when unlocking the volume, but... is the former really that much more > secure than the latter? > > Regards! > Felix > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] length of keyfiles 2021-01-06 10:47 ` Arno Wagner @ 2021-01-06 11:08 ` Felix Rubio 2021-01-06 11:17 ` Felix Rubio 0 siblings, 1 reply; 5+ messages in thread From: Felix Rubio @ 2021-01-06 11:08 UTC (permalink / raw) To: dm-crypt Thank you for your answer Arno... and for confirming that I should finally get rid of those double density floppy disks and reader :-P Regards! Felix --- Felix Rubio "Don't believe what you're told. Double check." On 2021-01-06 11:47, Arno Wagner wrote: > Hi Felix, > > I assume we are talking LUKS here, plain mode is different. > > The longer length is both convenience and helps if you > use low-entropy input. The keyfile does not actually > hold a key (LUKS mode), but a passphrase. Passphrases > get hashed, and once you have maximum entropy, you > cannot get more. I would need to look up what length > is actually used, but it does not depend on the lenght > of the encryption key. That one is stored in the anti-forensic > stripes, protected with the hash from that passphrase. > > So, to make this short, if you use LUKS with a keyfile, > putting in more entropy than used is meaningless. > If your random data is from /dev/random or (properly > initialized) /dev/urandom, 64 bytes are more than enough. > > Also, the differences between an 8kB passphrase and a > 64B one in execution time should not be noticeable at all. > Unless you read it from floppy disk ;-) > > Regards, > Arno > > > On Wed, Jan 06, 2021 at 10:17:22 CET, Felix Rubio wrote: >> Hi everybody, >> >> I have seen that keyfiles can be used in cryptsetup up to 8 kB, but >> internally the master key is 512 bits at max. Is there any >> recommendation >> / increased security by using a random sequence of 8 kB w.r.t., let's >> say, >> one of just 64 bytes? >> >> I understand that using one of 8kB will require more time than one of >> 64 B >> when unlocking the volume, but... is the former really that much more >> secure than the latter? >> >> Regards! >> Felix >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@saout.de >> https://www.saout.de/mailman/listinfo/dm-crypt _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] length of keyfiles 2021-01-06 11:08 ` Felix Rubio @ 2021-01-06 11:17 ` Felix Rubio 2021-01-06 14:06 ` Arno Wagner 0 siblings, 1 reply; 5+ messages in thread From: Felix Rubio @ 2021-01-06 11:17 UTC (permalink / raw) To: dm-crypt Follow up question: right now I am generating the 4 kB keyfile using openssl rand 4096. Should the quality of the key, then, be the same if doing dd if=/dev/random bs=64 count=1? Thank you! Felix On 2021-01-06 12:08, Felix Rubio wrote: > Thank you for your answer Arno... and for confirming that I should > finally get rid of those double density floppy disks and reader :-P > > Regards! > Felix > > On 2021-01-06 11:47, Arno Wagner wrote: >> Hi Felix, >> >> I assume we are talking LUKS here, plain mode is different. >> >> The longer length is both convenience and helps if you >> use low-entropy input. The keyfile does not actually >> hold a key (LUKS mode), but a passphrase. Passphrases >> get hashed, and once you have maximum entropy, you >> cannot get more. I would need to look up what length >> is actually used, but it does not depend on the lenght >> of the encryption key. That one is stored in the anti-forensic >> stripes, protected with the hash from that passphrase. >> >> So, to make this short, if you use LUKS with a keyfile, >> putting in more entropy than used is meaningless. >> If your random data is from /dev/random or (properly >> initialized) /dev/urandom, 64 bytes are more than enough. >> >> Also, the differences between an 8kB passphrase and a >> 64B one in execution time should not be noticeable at all. >> Unless you read it from floppy disk ;-) >> >> Regards, >> Arno >> >> >> On Wed, Jan 06, 2021 at 10:17:22 CET, Felix Rubio wrote: >>> Hi everybody, >>> >>> I have seen that keyfiles can be used in cryptsetup up to 8 kB, but >>> internally the master key is 512 bits at max. Is there any >>> recommendation >>> / increased security by using a random sequence of 8 kB w.r.t., let's >>> say, >>> one of just 64 bytes? >>> >>> I understand that using one of 8kB will require more time than one of >>> 64 B >>> when unlocking the volume, but... is the former really that much >>> more >>> secure than the latter? >>> >>> Regards! >>> Felix >>> _______________________________________________ >>> dm-crypt mailing list >>> dm-crypt@saout.de >>> https://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] length of keyfiles 2021-01-06 11:17 ` Felix Rubio @ 2021-01-06 14:06 ` Arno Wagner 0 siblings, 0 replies; 5+ messages in thread From: Arno Wagner @ 2021-01-06 14:06 UTC (permalink / raw) To: dm-crypt I have not done an in-dept investigation on what openssl uses, but some people claim that it probably uses /dev/random as source. So basically the same if these claims are correct. And yes, those DD floppies are a bit outdated now ;-) Regards, Arno On Wed, Jan 06, 2021 at 12:17:30 CET, Felix Rubio wrote: > Follow up question: right now I am generating the 4 kB keyfile using openssl > rand 4096. Should the quality of the key, then, be the same if doing dd > if=/dev/random bs=64 count=1? > > Thank you! > Felix > > On 2021-01-06 12:08, Felix Rubio wrote: > > Thank you for your answer Arno... and for confirming that I should > > finally get rid of those double density floppy disks and reader :-P > > > > Regards! > > Felix > > > > On 2021-01-06 11:47, Arno Wagner wrote: > > > Hi Felix, > > > > > > I assume we are talking LUKS here, plain mode is different. > > > > > > The longer length is both convenience and helps if you > > > use low-entropy input. The keyfile does not actually > > > hold a key (LUKS mode), but a passphrase. Passphrases > > > get hashed, and once you have maximum entropy, you > > > cannot get more. I would need to look up what length > > > is actually used, but it does not depend on the lenght > > > of the encryption key. That one is stored in the anti-forensic > > > stripes, protected with the hash from that passphrase. > > > > > > So, to make this short, if you use LUKS with a keyfile, > > > putting in more entropy than used is meaningless. > > > If your random data is from /dev/random or (properly > > > initialized) /dev/urandom, 64 bytes are more than enough. > > > > > > Also, the differences between an 8kB passphrase and a > > > 64B one in execution time should not be noticeable at all. > > > Unless you read it from floppy disk ;-) > > > > > > Regards, > > > Arno > > > > > > > > > On Wed, Jan 06, 2021 at 10:17:22 CET, Felix Rubio wrote: > > > > Hi everybody, > > > > > > > > I have seen that keyfiles can be used in cryptsetup up to 8 kB, but > > > > internally the master key is 512 bits at max. Is there any > > > > recommendation > > > > / increased security by using a random sequence of 8 kB w.r.t., > > > > let's say, > > > > one of just 64 bytes? > > > > > > > > I understand that using one of 8kB will require more time than > > > > one of 64 B > > > > when unlocking the volume, but... is the former really that > > > > much more > > > > secure than the latter? > > > > > > > > Regards! > > > > Felix > > > > _______________________________________________ > > > > dm-crypt mailing list > > > > dm-crypt@saout.de > > > > https://www.saout.de/mailman/listinfo/dm-crypt > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > https://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-01-06 14:07 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-01-06 9:17 [dm-crypt] length of keyfiles Felix Rubio 2021-01-06 10:47 ` Arno Wagner 2021-01-06 11:08 ` Felix Rubio 2021-01-06 11:17 ` Felix Rubio 2021-01-06 14:06 ` Arno Wagner
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).