Thanks to all who corrected me on my test post. I made a few mistakes there - 'nuff said. On Saturday 02 August 2008, Jonas wrote: > PS: I doubt that it's possible to pipe both the current and a new key to > cryptsetup luksAddKey at the same time. But why not use a temporary > passphrase to add the key, and remove the keySlot with the passphrase > afterwards. That requires passphrase input at least, but it avoids using > temporary files. On the other hand it should be save to use tempfiles if > you wipe/shred them afterwards. That is a good point. Any intermediate/temporary passphrase doesn't need to be written to disk. It can be left in a variable and later destroyed. That isn't the problem I have though: I want to have an extremely secure partition/container. I want the only keys to be random binary and stored on USB keys, encrypted too. When I _create_ the container, lets say that I use my personal USB key, which I carry always. Now, I want to add another similar key. I will need to get my USB key into luksAdd, and then perhaps type in an intermediate/temporary key as you suggest. Well, I've tried it, as I said before, but I cannot get it to work. I could use a suggestion here on how it can be done. If it is possible, then I can work out the rest myself. Otherwise, I will have to start reading the source. I see no need to format the container using a text key or keyfile. That seems less secure to me. Isn't a USB key/encrypted 2-factor security? Thanks again for any help! Cheers, Mick --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
