Hi,
I guess his point was to build something like a strong authentication with:
(1) something that I *own* (a key, maybe on a USB key),
(2) something that I *know* (a passphrase).
This doesn't look too bad to me.
But maybe it's worth remembering hash algorithms are ignored with key
files in plain mode, so that the --hash=sha512 is not effective and
actually equivalent to --hash=plain in this case.
Best regards,
Quentin
Le 01/12/2014 13:49, Arno Wagner a écrit :
This construction is redundant and does not provide any
additional security as compared to passphrase alone,
assuming that your passphrase is secure.
If your passphrase is insecure, you should fix that
instead.
Arno
On Mon, Dec 01, 2014 at 03:54:19 CET, 0x14@xxxxxxxxxxxxxxx wrote:
Hi there, is this construction secure? Assuming "keyfile" is a file
and "/dev/device" is a block device, both made with /dev/urandom.
cryptsetup open --hash=sha512 --cipher=aes-xts-plain64 --type=plain
keyfile keyfile_tmp && cat /dev/mapper/keyfile_tmp | \
cryptsetup open --hash=sha512 --cipher=aes-xts-plain64 --type=plain
--key-file=- /dev/device cryptodevice && \
cryptsetup close keyfile_tmp && mount /dev/mapper/cryptodevice
/media/cryptodevice
The goal is to use pass+keyfile to decrypt storage. I put it in a
script and it works as it should at a glance. Are there alternatives
or improvements? Stupid errors maybe?
Thanks.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
