* [dm-crypt] Cryptsetup Optimal Keyfile Size for a given Key Size
@ 2010-05-19 19:16 Dan Klopp
2010-05-20 0:05 ` Arno Wagner
0 siblings, 1 reply; 3+ messages in thread
From: Dan Klopp @ 2010-05-19 19:16 UTC (permalink / raw)
To: dm-crypt
I wanted to generate a keyfile of the maximum size and no larger, as
using a 512 bit keyfile on 256 bit encryption seems pointless. In so
doing I seem to have encountered an error in the man page, and cannot
answer my question from it or I have misunderstood the concept. My only
question is, with a dm-luks key size fixed, at what point does a random
keyfile of size X, offer no more protection than a random keyfile of
size Y, when X > Y? Please read on for what I encountered and why the
man page cannot seem to answer my question.
According to the man page 256 bits can be set as your key size (if it is
good enough for classified material, it is good enough for me). Hence a
keyfile larger than your key size would be pointless. Intriguingly,
most online guides (including the official guide!) that generate a
keyfile use the command `dd if=/dev/random of=mykey bs=1 count=256`
which is 256 bytes, not 256 bits. The correct command should be `dd
if=/dev/random of=mykey bs=1 count=32`, am I right?
Naturally, I was curious what advantage 256 bytes versus 256 bits may
entail. According to the man page, none:
From a key file: It will be cropped to the size given by -s. If
there
is insufficient key material in the key file, cryptsetup will
quit with
an error.
Fair enough, but curious, I tested this "cropping" by generating a 1024
byte key (way overkill) and adding it as a keyfile to a file container.
I opened it to test it and it worked. Then I used the first half of the
1024 byte key to open it. I received an error message of an incorrect
key. Therefore, it does not crop as I understand it, and it uses the
entire key. But to what point? If you are only capable of 256 bit
encryption, using a 4096 bit key seems...pointless?
My sample script is below for cryptsetup 1.0.3, Red Hat 5.5, 64 bit:
dd if=/dev/sda of=/dev/null &
dd if=/dev/random of=key-1024B bs=1 count=1024
kill `pidof dd`
dd if=/dev/zero of=cont.enc bs=4096 count=4096
losetup /dev/loop6 cont.enc || exit 1
cryptsetup luksFormat -s 256 -c aes-cbc-essiv:sha256 /dev/loop6 key-1024B
cryptsetup --key-file ./key-1024B luksOpen /dev/loop6 test
# It works
cryptsetup luksClose /dev/mapper/test
dd if=key-1024B of=key-firsthalfof-1024B bs=1 count=512
cryptsetup --key-file ./key-firsthalfof-1024B luksOpen /dev/loop6 test
# Invalid keyfile.
losetup -d /dev/loop6
Thank you for your time,
-Dan
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [dm-crypt] Cryptsetup Optimal Keyfile Size for a given Key Size 2010-05-19 19:16 [dm-crypt] Cryptsetup Optimal Keyfile Size for a given Key Size Dan Klopp @ 2010-05-20 0:05 ` Arno Wagner 2010-05-20 10:04 ` Roscoe 0 siblings, 1 reply; 3+ messages in thread From: Arno Wagner @ 2010-05-20 0:05 UTC (permalink / raw) To: dm-crypt I think the "keyfile" is really a passphrasefile and gets hashed. In that case you want some more bits in there to ensure maximum entropy. Arno On Wed, May 19, 2010 at 03:16:40PM -0400, Dan Klopp wrote: > I wanted to generate a keyfile of the maximum size and no larger, as > using a 512 bit keyfile on 256 bit encryption seems pointless. In so > doing I seem to have encountered an error in the man page, and cannot > answer my question from it or I have misunderstood the concept. My only > question is, with a dm-luks key size fixed, at what point does a random > keyfile of size X, offer no more protection than a random keyfile of > size Y, when X > Y? Please read on for what I encountered and why the > man page cannot seem to answer my question. > > According to the man page 256 bits can be set as your key size (if it is > good enough for classified material, it is good enough for me). Hence a > keyfile larger than your key size would be pointless. Intriguingly, > most online guides (including the official guide!) that generate a > keyfile use the command `dd if=/dev/random of=mykey bs=1 count=256` > which is 256 bytes, not 256 bits. The correct command should be `dd > if=/dev/random of=mykey bs=1 count=32`, am I right? > > Naturally, I was curious what advantage 256 bytes versus 256 bits may > entail. According to the man page, none: > > From a key file: It will be cropped to the size given by -s. If > there > is insufficient key material in the key file, cryptsetup will quit > with > an error. > > Fair enough, but curious, I tested this "cropping" by generating a 1024 > byte key (way overkill) and adding it as a keyfile to a file container. > I opened it to test it and it worked. Then I used the first half of the > 1024 byte key to open it. I received an error message of an incorrect > key. Therefore, it does not crop as I understand it, and it uses the > entire key. But to what point? If you are only capable of 256 bit > encryption, using a 4096 bit key seems...pointless? > > My sample script is below for cryptsetup 1.0.3, Red Hat 5.5, 64 bit: > > dd if=/dev/sda of=/dev/null & > dd if=/dev/random of=key-1024B bs=1 count=1024 > kill `pidof dd` > dd if=/dev/zero of=cont.enc bs=4096 count=4096 > losetup /dev/loop6 cont.enc || exit 1 > cryptsetup luksFormat -s 256 -c aes-cbc-essiv:sha256 /dev/loop6 key-1024B > cryptsetup --key-file ./key-1024B luksOpen /dev/loop6 test > # It works > cryptsetup luksClose /dev/mapper/test > dd if=key-1024B of=key-firsthalfof-1024B bs=1 count=512 > cryptsetup --key-file ./key-firsthalfof-1024B luksOpen /dev/loop6 test > # Invalid keyfile. > losetup -d /dev/loop6 > > Thank you for your time, > -Dan > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dm-crypt] Cryptsetup Optimal Keyfile Size for a given Key Size 2010-05-20 0:05 ` Arno Wagner @ 2010-05-20 10:04 ` Roscoe 0 siblings, 0 replies; 3+ messages in thread From: Roscoe @ 2010-05-20 10:04 UTC (permalink / raw) To: dm-crypt A close inspection of the man page agrees: ''' luksFormat <device> [<key file>] initializes a LUKS partition and sets the initial key, either via prompting or via <key file>. <options> can be [--cipher, --verify-passphrase, --key-size, --key-slot] ... --key-file, -d use file as key material. With LUKS, key material supplied in key files via -d are always used for existing passphrases. If you want to set a new key via a key file, you have to use a positional arg to luksFormat or luksAddKey. ''' On Thu, May 20, 2010 at 10:05 AM, Arno Wagner <arno@wagner.name> wrote: > I think the "keyfile" is really a passphrasefile and gets hashed. > In that case you want some more bits in there to ensure maximum > entropy. > > Arno > > > On Wed, May 19, 2010 at 03:16:40PM -0400, Dan Klopp wrote: >> I wanted to generate a keyfile of the maximum size and no larger, as >> using a 512 bit keyfile on 256 bit encryption seems pointless. In so >> doing I seem to have encountered an error in the man page, and cannot >> answer my question from it or I have misunderstood the concept. My only >> question is, with a dm-luks key size fixed, at what point does a random >> keyfile of size X, offer no more protection than a random keyfile of >> size Y, when X > Y? Please read on for what I encountered and why the >> man page cannot seem to answer my question. >> >> According to the man page 256 bits can be set as your key size (if it is >> good enough for classified material, it is good enough for me). Hence a >> keyfile larger than your key size would be pointless. Intriguingly, >> most online guides (including the official guide!) that generate a >> keyfile use the command `dd if=/dev/random of=mykey bs=1 count=256` >> which is 256 bytes, not 256 bits. The correct command should be `dd >> if=/dev/random of=mykey bs=1 count=32`, am I right? >> >> Naturally, I was curious what advantage 256 bytes versus 256 bits may >> entail. According to the man page, none: >> >> From a key file: It will be cropped to the size given by -s. If >> there >> is insufficient key material in the key file, cryptsetup will quit >> with >> an error. >> >> Fair enough, but curious, I tested this "cropping" by generating a 1024 >> byte key (way overkill) and adding it as a keyfile to a file container. >> I opened it to test it and it worked. Then I used the first half of the >> 1024 byte key to open it. I received an error message of an incorrect >> key. Therefore, it does not crop as I understand it, and it uses the >> entire key. But to what point? If you are only capable of 256 bit >> encryption, using a 4096 bit key seems...pointless? >> >> My sample script is below for cryptsetup 1.0.3, Red Hat 5.5, 64 bit: >> >> dd if=/dev/sda of=/dev/null & >> dd if=/dev/random of=key-1024B bs=1 count=1024 >> kill `pidof dd` >> dd if=/dev/zero of=cont.enc bs=4096 count=4096 >> losetup /dev/loop6 cont.enc || exit 1 >> cryptsetup luksFormat -s 256 -c aes-cbc-essiv:sha256 /dev/loop6 key-1024B >> cryptsetup --key-file ./key-1024B luksOpen /dev/loop6 test >> # It works >> cryptsetup luksClose /dev/mapper/test >> dd if=key-1024B of=key-firsthalfof-1024B bs=1 count=512 >> cryptsetup --key-file ./key-firsthalfof-1024B luksOpen /dev/loop6 test >> # Invalid keyfile. >> losetup -d /dev/loop6 >> >> Thank you for your time, >> -Dan >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@saout.de >> http://www.saout.de/mailman/listinfo/dm-crypt >> > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name > GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F > ---- > Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-05-20 10:04 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-05-19 19:16 [dm-crypt] Cryptsetup Optimal Keyfile Size for a given Key Size Dan Klopp 2010-05-20 0:05 ` Arno Wagner 2010-05-20 10:04 ` Roscoe
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.