I think a keyfile is only better if it resides in a different place than the LUKS header, i.e. is on an USB stick that gets removed or the like and can hence act as an extra factor. Crtypto-wise, if yoy use a high-entropy passphrase,see FAQ Item 5.1 at https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions/ ...I do not see any reason why using GnuPG to protect the passhrase would be any more secure. Arno On Tue, Jul 07, 2015 at 23:08:17 CEST, lyz wrote: > The keyfile will be stored in the /boot partition. > > My question is if it's in a cryptographic way more secure, like if gpg > encryption of a keyfile is more difficult to break rather than a > dm-crypt encryption of a device, therefore it's logical to use a keyfile > to encrypt the device and gpg to encrypt the keyfile. > > Thanks > > On 07/07/2015 10:52 PM, wintonian wrote: > > A quick guess, > > > > In this scenario you have the following:- > > > > A, something physical - i.e. a keyfile. > > plus > > B, something known - i.e. a pass phrase. > > > > Which equals something more secure > > > > I guess there might be more to it than that, but I assume that's part of > > it. > > > > Regards > > Robert > > > > On 07/07/15 21:32, lyz wrote: > >> Hi all, > >> > >> I'm encrypting my whole system under LUKS, and I've seen that in the > >> wiki of Arch and Gentoo they suggest to use a keyfile and encrypt it > >> with gpg. > >> > >> Why is more secure to encrypt a keyfile with a passphrase and then > >> encrypt the device with the keyfile rather than encrypting the device > >> directly with the passphrase? > >> > >> Against a brute force attack the passphrase is the same, so they should > >> be equally secure, am I wrong? > >> > >> Thank you > >> > >> > >> > >> > >> _______________________________________________ > >> dm-crypt mailing list > >> dm-crypt@xxxxxxxx > >> http://www.saout.de/mailman/listinfo/dm-crypt > >> > > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
