From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <htd+ml@fritha.org>
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.130])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Sun, 27 Sep 2015 20:55:56 +0200 (CEST)
Received: from localhost ([88.90.244.108]) by mrelayeu.kundenserver.de
 (mreue001) with ESMTPSA (Nemesis) id 0MQZS8-1a5bU73Q0S-00ThJD for
 <dm-crypt@saout.de>; Sun, 27 Sep 2015 20:55:56 +0200
Date: Sun, 27 Sep 2015 20:55:54 +0200
From: Heinz Diehl <htd+ml@fritha.org>
Message-ID: <20150927185554.GA15831@fritha.org>
References: <20150925173316.GA32719@manjaro.chello.hu>
 <20150925194446.GZ14230@yeono.kjorling.se>
 <20150925214834.GA5103@manjaro.chello.hu>
 <20150925222410.GD14230@yeono.kjorling.se>
 <20150926071456.GA25267@manjaro.chello.hu>
 <20150926153823.GE14230@yeono.kjorling.se>
 <20150927110859.GA31821@manjaro.chello.hu>
 <20150927140814.GC13009@tansi.org>
 <20150927141533.GP14230@yeono.kjorling.se>
 <20150927161208.GA26184@manjaro.chello.hu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20150927161208.GA26184@manjaro.chello.hu>
Subject: Re: [dm-crypt] Basics
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 27.09.2015, Mike Nagie wrote: 

> As we just have concluded that a Diceware passphrase is much more 
> secure, then I'd like to ask you: should I need more than one LUKS key? 

What's your thread model, actually? Whom do you want to protect your
data from?

> The original idea was, creating an encrypted partition for the /home 
> then I'm going to set a very strong master passphrase (I assume that 
> slot 0 is the master) after that I add another LUKS key which is the 
> same password as my account's.

That would reduce your password strength to the strength of the
weakest of these two.

> Does more than one LUKS key reduce the security?

A chain is only as strong as its weakest link. This law applies
perfectly also to this particular scenario.

> Does it matter if I have a really strong passphrase and a not that strong second phrase? 

Think about it. It's quite obvious.