Phil H wrote: > Seems my little script has been met with about as much interest as yet another offer to "enlarge your penis". > > Is there a reason for that? Is it naive? Does it contain or repesent an encryption faux pas? First: Similar to IANAL i have to say that i'm no encryption expert. So at least part of my argumentation is pure guessing! For me personally: - Performance: triple encryption approximates at 200% less performance. (With which i could live for tiny amounts of data, but not the 11,5TB of space for which i need best(tm) performance, given the constraints) - IIRC the keys where used wrongly, breaking the first layer exposes the keys to the second and that exposes the keys to the third layer. But even if that's true. Then it's only an implementation fault, not a fault in the schema itself. Encrypting all 3 keys would solve that "problem", with the new "problem" that you have to remember 3 passphrases instead of one. Also storing the 2 "inside" keys somewhere outside "solves" the problem that you can(!) verify that you broke the first layer. With 3 layers, of exactly the same size on top of each other, you have to break all 3 layers to get to verifiable data/known plaintext. Although you don't have exactly "know plaintext", after breaking the first layer, you still have something for which you can say if it is a valid gpg file or not. - I need automation (as much as possible). Besides entering the passphrase for a key-containers i want no interaction at all. - Therefore: I had my own scripts done before you posted yours, and i think mine are too specific for myself. I don't think my udev/autofs integration/configuration is general usable. Bis denn -- Real Programmers consider "what you see is what you get" to be just as bad a concept in Text Editors as it is in women. No, the Real Programmer wants a "you asked for it, you got it" text editor -- complicated, cryptic, powerful, unforgiving, dangerous. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
