Am Sat, 10 Oct 2009 03:09:14 +0300 schrieb Roman Kyrylych <roman.kyrylych@xxxxxxxxx>: > I don't see why it's more secure. Because your / partition where you have stored your passphrase as a clear text in /etc/crypttab is unlocked, if your computer is running. If you get hacked your passphrase can easily be read. If the key is on the USB stick, the USB stick is unplugged and the computer gets hacked, the passphrase and the key can't be read. Of course it is somewhere in the RAM, but I don't know how hard it is to find it there, if the system gets hacked online. > And that's way it's much less secure, > someone just takes your USB stick and logins. First you should keep the USB stick save and shouldn't let it taken by someone else. Second if you format the USB stick with e.g. ext3 and write the keyfile with dd on a free place, then it looks like an empty filesystem if it gets mounted. The keys can only be found by searching the raw data with e.g. a hex editor. And then the person who has taken your USB key must know that it is a key for your partitions. Well, of course the offset can be found in the kernel line in menu.lst on the unencrypted /boot partition. But this would imply that the person who has stolen your computer and your USB stick(s) needs to know which is the right stick. And he must know a bit about Linux and LUKS. It's more likely that a hacker who hacks you online has Linux and LUKS knowledge than someone who steals your computer and your USB stick offline. But, of course, nothing is 100% secure. And I guess it's a matter of philosophy. It depends on where is the higher danger, offline or online. Heiko
