From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wagner@tansi.org>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 4gTNPjM_sdGm for <dm-crypt@saout.de>;
 Mon, 17 Oct 2011 06:36:37 +0200 (CEST)
Received: from v4.tansi.org (ns.km33513-03.keymachine.de [87.118.94.3])
 by mail.saout.de (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Mon, 17 Oct 2011 06:36:36 +0200 (CEST)
Received: from gatewagner.dyndns.org (84-74-163-71.dclient.hispeed.ch
 [84.74.163.71]) by v4.tansi.org (Postfix) with ESMTPA id B6A0020638B
 for <dm-crypt@saout.de>; Mon, 17 Oct 2011 06:36:35 +0200 (CEST)
Date: Mon, 17 Oct 2011 06:36:35 +0200
From: Arno Wagner <arno@wagner.name>
Message-ID: <20111017043635.GA31021@tansi.org>
References: <CAFnMBaTrcAt0LKafH27d32a3MknOLEi2n8_MSWfYVZ=psG8+-w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAFnMBaTrcAt0LKafH27d32a3MknOLEi2n8_MSWfYVZ=psG8+-w@mail.gmail.com>
Subject: Re: [dm-crypt] two factor authentication with zuluCrypt
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

This will work, but it is not really 2-factor, as the key-file will 
not be "something you have". In fact, "something stored on disk" is
already done by LUKS, in the form of the salts and the key.

If you store part of the passphrase on an USB-Key, that may be
borderline 2-factor, but I doubt it really increases security.

Arno

On Sun, Oct 16, 2011 at 11:44:03PM -0400, .. ink .. wrote:
> I want to add the ability to create create and access volumes using two
> factors, a passphrase and a key file. What is the best way to achieve this?
> 
> The simplest way to do it i can think of is to read the file and then append
> the passphrase at the beginning, in the middle or at the end of it.
> 
> Will this be adequate? what is the best way to do this or is it a bad idea?

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier