From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from tansi.org (ns.km10532-04.keymachine.de [87.118.102.195]) by mail.saout.de (Postfix) with ESMTP for ; Thu, 20 May 2010 02:05:30 +0200 (CEST) Received: from gatewagner.dyndns.org (84-74-164-239.dclient.hispeed.ch [84.74.164.239]) by tansi.org (Postfix) with ESMTPA id 624B5212804A for ; Thu, 20 May 2010 02:05:30 +0200 (CEST) Date: Thu, 20 May 2010 02:05:50 +0200 From: Arno Wagner Message-ID: <20100520000550.GA22394@tansi.org> References: <4BF43918.6060203@nrao.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4BF43918.6060203@nrao.edu> Subject: Re: [dm-crypt] Cryptsetup Optimal Keyfile Size for a given Key Size List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de I think the "keyfile" is really a passphrasefile and gets hashed. In that case you want some more bits in there to ensure maximum entropy. Arno On Wed, May 19, 2010 at 03:16:40PM -0400, Dan Klopp wrote: > I wanted to generate a keyfile of the maximum size and no larger, as > using a 512 bit keyfile on 256 bit encryption seems pointless. In so > doing I seem to have encountered an error in the man page, and cannot > answer my question from it or I have misunderstood the concept. My only > question is, with a dm-luks key size fixed, at what point does a random > keyfile of size X, offer no more protection than a random keyfile of > size Y, when X > Y? Please read on for what I encountered and why the > man page cannot seem to answer my question. > > According to the man page 256 bits can be set as your key size (if it is > good enough for classified material, it is good enough for me). Hence a > keyfile larger than your key size would be pointless. Intriguingly, > most online guides (including the official guide!) that generate a > keyfile use the command `dd if=/dev/random of=mykey bs=1 count=256` > which is 256 bytes, not 256 bits. The correct command should be `dd > if=/dev/random of=mykey bs=1 count=32`, am I right? > > Naturally, I was curious what advantage 256 bytes versus 256 bits may > entail. According to the man page, none: > > From a key file: It will be cropped to the size given by -s. If > there > is insufficient key material in the key file, cryptsetup will quit > with > an error. > > Fair enough, but curious, I tested this "cropping" by generating a 1024 > byte key (way overkill) and adding it as a keyfile to a file container. > I opened it to test it and it worked. Then I used the first half of the > 1024 byte key to open it. I received an error message of an incorrect > key. Therefore, it does not crop as I understand it, and it uses the > entire key. But to what point? If you are only capable of 256 bit > encryption, using a 4096 bit key seems...pointless? > > My sample script is below for cryptsetup 1.0.3, Red Hat 5.5, 64 bit: > > dd if=/dev/sda of=/dev/null & > dd if=/dev/random of=key-1024B bs=1 count=1024 > kill `pidof dd` > dd if=/dev/zero of=cont.enc bs=4096 count=4096 > losetup /dev/loop6 cont.enc || exit 1 > cryptsetup luksFormat -s 256 -c aes-cbc-essiv:sha256 /dev/loop6 key-1024B > cryptsetup --key-file ./key-1024B luksOpen /dev/loop6 test > # It works > cryptsetup luksClose /dev/mapper/test > dd if=key-1024B of=key-firsthalfof-1024B bs=1 count=512 > cryptsetup --key-file ./key-firsthalfof-1024B luksOpen /dev/loop6 test > # Invalid keyfile. > losetup -d /dev/loop6 > > Thank you for your time, > -Dan > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier