Hello again, Arno Wagner wrote: > > Alternatively, I could just do this: > > > > ( cat ~/pass_key ; cat ) | cryptsetup luksOpen --key-file > > - /dev/loop1 loop1 > > > > so I still have to provide both the key and passphrase, terminated > > with Ctrl-D. Any thoughts? > > Yes, why do you not use the passphrase entry function of cryptsetup > directly? Without a specific and credible risk, there is no > reason to do anything of what you describe here... Ok, but I may have a reason I need to do this anyway, that probably no one else has - these disks are external usb connected disks and they are noisy, so I keep them powered off unless backing up to them. Their power management is really broken, or maybe linux is, so I connected them to a relay on the parallel port to properly power them off. That setup has been working for years, and to keep it automated with encryption, the key has to be stored somewhere, doesn't it? I'm not sure I understand the point of having a key file, if that key file isn't protected somehow - an attacker would have access to the machine that stores the key as well. (I'm not going to spend €50000 on a HSM for this, that would be overamplifing risks by a very long way) An attacker would have to break into the system after I've entered the passphrase, without powering it off (notwithstanding cold-boot attacks), but that's the same case as with normal disk encryption, isn't it? If the disks were kept powered on, I would enter the passphrase once at boot up, and keep the disk mounted. Isn't that what everyone else does? To get the same but with the disks powering off, I would decrypt the passphrase to a ramfs (not /dev/shm, as that can get written to swap), and make cryptsetup read it from there. > I would suggest you read up a bit more on cryptography. > "Cryptography Engineering" by Schneier et al. is a good book for > example, to get a good understanding of cryto technology > and risks. > > You are at the moment in this dangerous "half-knowledge" state, > were you see some risks and overamplify them, while you completely > miss others. It is normal to go through this stage, but make sure > you leave it behind. Yes, well, I know that, and really if I didn't overamplify some risks, then I would probably just not bother with disk encryption at all, but that doesn't achieve or teach me anything. Anyway, I live in the UK which has the RIPA act, so they send people to prison simply for not handing over the keys. Check the references on http://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000 Laurence _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
