Roscoe wrote:
On Tue, Dec 30, 2008 at 10:10 AM, Dick Middleton <gmane@xxxxxxxxxxxx> wrote:
...
Is it? Works for me. But then if you use --key-file=key.file you'll use it
the same way every time so the difference won't be noticed.
You have to be a bit careful, it is important to understand what the
difference may be.
Yes, sorry, I was a bit casual in what I said.
Firstly I assumed the use of LUKS and that works differently from non-LUKS.
Secondly I've been through this hoop, made this mistake but forgotten as it was
some 2 or 3 years ago.
FYI I use jpg files for some of my key files.
With cryptsetup create? Using the first 16 or 32 bytes (probably 16,
possibly >32 depending on mode) of a non-randomly generated file seems
a bit of a bad idea to me.
LUKS uses PBKDF2 to suck in the whole key material adds a salt and creates a
derived key (which is more secure). http://en.wikipedia.org/wiki/PBKDF2
(http://clemens.endorphin.org/TKS1-draft.pdf). Unlike non-LUKS it doesn't use
just the first 16 or 32 bytes of the key.
So, if you like, in this context a jpg file is just a very long password,
hopefully more secure than a short one.
Dick
---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
