This construction is redundant and does not provide any
additional security as compared to passphrase alone,
assuming that your passphrase is secure.
Additional security, as I see it, will be:
1. If you have knowledge about encrypted device, you need to not only
know the passphrase, but also have the keyfile (have physical access to
it). Some sort of 2-FA
2. Separate keyfile may be easier to physical destruction, it may be
crucial when you are in hurry to do that - small microsd card with
keyfile VS encrypted harddrive. If I get it right, bigger encrypted
containers in plain mode are harder to destroy also.
Isn`t it somehow comparable to having LUKS header on separate device
(--header option)?
Am I wrong?
Thanks for patience in advance :)
P.S. Writing form another mail, sorry for possible confusion.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
