Daniel Harvey wrote:
> Does this reduce the security of the multi-key encryption (storing the key
> locally with the data)?
Nope.
Usually the weakest link is the user memorizable low entropy passphrase that
protects the key file or secret keyring keys. Even though gpg includes
reasonable countermeasures agaist dictionary attacks agaist symmetric cipher
encrypted files and secret keyring keys, it is possible that these can be
successfully attacked using slow dictionary attack.
As additional countermeasure agaist dictionary attacks, loop-AES' README
file advises to store the key file in USB memory stick. When adversary does
not have access to key file, dictionary attack agaist it is impossible.
However, in this case:
ssh user@host cat keyfile | mount -p 0 -o gpgkey=/etc/foo
the passphrase that protects /etc/foo key file can be non user memorizable
high entropy string that will not be vulnerable to any dictionary attack. So
storing gpg encrypted key file locally, and thus making it available to
attacker in case of computer theft, does not significantly reduce security.
> How would you compare this with single key encryption with key stored
> remotely?
Multi-key mode is more secure.
--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
