It's a simple strategy to mitigate physical theft, if your 'key-material' is on a moveable device. (while it is trivial to acquire a physical object unnoticed it's much harder to acquire something from the brain of a person unnoticed, I'd assume) -Sven On Tue, July 7, 2015 23:20, Arno Wagner wrote: > I think a keyfile is only better if it resides in a different > place than the LUKS header, i.e. is on an USB stick that gets > removed or the like and can hence act as an extra factor. > > Crtypto-wise, if yoy use a high-entropy passphrase,see > FAQ Item 5.1 at > https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions/ > ...I do not see any reason why using GnuPG to protect the > passhrase would be any more secure. > > Arno > > > On Tue, Jul 07, 2015 at 23:08:17 CEST, lyz wrote: >> The keyfile will be stored in the /boot partition. >> >> My question is if it's in a cryptographic way more secure, like if gpg >> encryption of a keyfile is more difficult to break rather than a >> dm-crypt encryption of a device, therefore it's logical to use a keyfile >> to encrypt the device and gpg to encrypt the keyfile. >> >> Thanks >> >> On 07/07/2015 10:52 PM, wintonian wrote: >> > A quick guess, >> > >> > In this scenario you have the following:- >> > >> > A, something physical - i.e. a keyfile. >> > plus >> > B, something known - i.e. a pass phrase. >> > >> > Which equals something more secure >> > >> > I guess there might be more to it than that, but I assume that's part >> of >> > it. >> > >> > Regards >> > Robert >> > >> > On 07/07/15 21:32, lyz wrote: >> >> Hi all, >> >> >> >> I'm encrypting my whole system under LUKS, and I've seen that in the >> >> wiki of Arch and Gentoo they suggest to use a keyfile and encrypt it >> >> with gpg. >> >> >> >> Why is more secure to encrypt a keyfile with a passphrase and then >> >> encrypt the device with the keyfile rather than encrypting the device >> >> directly with the passphrase? >> >> >> >> Against a brute force attack the passphrase is the same, so they >> should >> >> be equally secure, am I wrong? >> >> >> >> Thank you >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> dm-crypt mailing list >> >> dm-crypt@xxxxxxxx >> >> http://www.saout.de/mailman/listinfo/dm-crypt >> >> >> > >> > > > >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@xxxxxxxx >> http://www.saout.de/mailman/listinfo/dm-crypt > > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D > 9718 > ---- > A good decision is based on knowledge and not on numbers. -- Plato > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
