Re: [dm-crypt] Cryptsetup Optimal Keyfile Size for a given Key Size

[Arno Wagner <arno@wagner.name>]

I think the "keyfile" is really a passphrasefile and gets hashed.
In that case you want some more bits in there to ensure maximum 
entropy.

Arno


On Wed, May 19, 2010 at 03:16:40PM -0400, Dan Klopp wrote:
> I wanted to generate a keyfile of the maximum size and no larger, as  
> using a 512 bit keyfile on 256 bit encryption seems pointless.  In so  
> doing I seem to have encountered an error in the man page, and cannot  
> answer my question from it or I have misunderstood the concept.  My only  
> question is, with a dm-luks key size fixed, at what point does a random  
> keyfile of size X, offer no more protection than a random keyfile of  
> size Y, when X > Y?  Please read on for what I encountered and why the  
> man page cannot seem to answer my question.
>
> According to the man page 256 bits can be set as your key size (if it is  
> good enough for classified material, it is good enough for me).  Hence a  
> keyfile  larger than your key size would be pointless.  Intriguingly,  
> most online guides (including the official guide!) that generate a  
> keyfile use the command `dd if=/dev/random of=mykey bs=1 count=256`  
> which is 256 bytes, not 256 bits.  The correct command should be `dd  
> if=/dev/random of=mykey bs=1 count=32`, am I right?
>
> Naturally, I was curious what advantage 256 bytes versus 256 bits may  
> entail.  According to the man page, none:
>
>       From  a  key file: It will be cropped to the size given by -s. If  
> there
>       is insufficient key material in the key file, cryptsetup will quit 
> with
>       an error.
>
> Fair enough, but curious, I tested this "cropping" by generating a 1024  
> byte key (way overkill) and adding it as a keyfile to a file container.   
> I opened it to test it and it worked.  Then I used the first half of the  
> 1024 byte key to open it.  I received an error message of an incorrect  
> key.  Therefore, it does not crop as I understand it, and it uses the  
> entire key.  But to what point?  If you are only capable of 256 bit  
> encryption, using a 4096 bit key seems...pointless?
>
> My sample script is below for cryptsetup 1.0.3, Red Hat 5.5, 64 bit:
>
> dd if=/dev/sda of=/dev/null &
> dd if=/dev/random of=key-1024B bs=1 count=1024
> kill `pidof dd`
> dd if=/dev/zero of=cont.enc bs=4096 count=4096
> losetup /dev/loop6 cont.enc || exit 1
> cryptsetup luksFormat -s 256 -c aes-cbc-essiv:sha256 /dev/loop6 key-1024B
> cryptsetup --key-file ./key-1024B luksOpen /dev/loop6 test
> # It works
> cryptsetup luksClose /dev/mapper/test
> dd if=key-1024B of=key-firsthalfof-1024B bs=1 count=512
> cryptsetup --key-file ./key-firsthalfof-1024B luksOpen /dev/loop6 test
> # Invalid keyfile.
> losetup -d /dev/loop6
>
> Thank you for your time,
> -Dan
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier