On Aug 18, 2017, at 1:47 PM, Eric Biggers <ebiggers3@xxxxxxxxx> wrote: > +Key hierarchy > +============= > + > +Master Keys > +----------- > + > +Userspace should generate master keys either using a cryptographically > +secure random number generator, e.g. by reading from ``/dev/urandom`` > +or calling getrandom(), or by using a KDF (Key Derivation Function). > +Note that whenever a KDF is used to "stretch" a lower-entropy secret > +such as a passphrase, it is critical that a KDF designed for this > +purpose be used, such as scrypt, PBKDF2, or Argon2. One minor suggestion - when generating a master key for a filesystem, I'd think it is preferable to use /dev/random instead of /dev/urandom to ensure there is enough entropy. Cheers, Andreas
Attachment:
signature.asc
Description: Message signed with OpenPGP
