On Wed, Sep 17, 2008 at 04:29:36PM -0500, Clayton Shepard wrote: > It sounds like it may be more effective, and much less code, to write a well > scripted front end that manages and automates the creation and opening of > multiple LUKS devices at once. I agree. In addition this can be done by anybody competent, as it does not need insights into the LUKS implementation. > IE create 12 LUKS devices with one the same passphrase with one command, and > then open all 12 with one command. Although I personally don't really use > the pasphrase management features - I guess a similar command to add and > revoke passphrases would also be needed. > > I am not a cryptology expert, so I do not know what impact having all 12 of > these with the same/different masterkey would have on security. It seems > like all of them having the same key couldn't be any worse than the > 1TB > problem it is already faced with. While I have not looked into teh 1TB issue, using the same masterkey, you would probably need to add all disk sizes together in order to determine whether this is vulnerable. > Would 12 different masterkeys with the > same passphrase present any security problems? That should be fine, as then the devices are effectively independent. There might be some issue of on-disk structure from the RAID, but that should still not be a problem, especially with independent keys. The pasphrase only protects the keys, and the key material is not really a lot (i.e. << 1TB ;-), so I do not see any problem with usiong the same passphrase for multiple keys. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
