[Pkg-cryptsetup-devel] Re: What is the benefit of SSL/GnuPG
encrypting keys instead of XOR?
Clemens Fruhwirth
clemens at endorphin.org
Thu Mar 23 07:29:44 UTC 2006
Jonas Meurer <jonas at freesources.org> wrote:
> On 22/03/2006 gebi at sbox.tugraz.at wrote:
> > >Yes, the two-factor authentication is one aspect. But more
> > >importantly IMHO: By using keyfiles at all, we can generate the
> > >actual keys from cryptographically secure PRNGs instead of deriving
> > >them from hashes of user-memorizable passphrases. Since we can't
> > >store those keyfiles in clear, either openssl or gnupg are used to
> > >encrypt them - this could be done with other software too.
> >
> > LUKS should be exactly this ;).
> > Your passphrase is used to encrypt the master key for the luks
> > partition. Luks is also resistent against dictionary attacks (see
> > http://clemens.endorphin.org/publications).
>
> you're correct. and according to clemens the key/passphrase which is
> used to decrypt the master key is hashed to a fixed length anyway. in
> other words: encrypted keys don't have any advantages over a passphrase.
>
> this means, that support for openssl/gnupg encrypted keys is useless for
> luks, isn't it?
The fact is that LUKS encrypts passwords itself, and further it tries to
harden the password with PBKDF2 (please see
http://clemens.endorphin.org/publications - New Methods in Hard Disk
Encryption - Chapter 5 or Chapter 6 if you want all the LUKS details)
Adding another layer of encryption adds no additional protection or
appliance for me. For non-LUKS setups encrypted password are highly
desirable, but in fact they have been the main reason why LUKS was
invented. They are the whole purpose of LUKS.
--
Fruhwirth Clemens - http://clemens.endorphin.org
for robots: sp4mtrap at endorphin.org
More information about the Pkg-cryptsetup-devel
mailing list