From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <qlefebvre_pro@yahoo.com>
Received: from nm7-vm8.bullet.mail.ir2.yahoo.com
 (nm7-vm8.bullet.mail.ir2.yahoo.com [212.82.96.133])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Mon,  1 Dec 2014 14:49:31 +0100 (CET)
Message-ID: <547C7202.7040806@yahoo.com>
Date: Mon, 01 Dec 2014 14:49:54 +0100
From: Quentin Lefebvre <qlefebvre_pro@yahoo.com>
MIME-Version: 1.0
References: <e6ee118838efadbac63405f95f9b7be4@openmailbox.org>
 <20141201124959.GA29600@tansi.org>
In-Reply-To: <20141201124959.GA29600@tansi.org>
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [dm-crypt] Pass+keyfile
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de
Cc: 0x14@openmailbox.org

Hi,

I guess his point was to build something like a strong authentication with:
(1) something that I *own* (a key, maybe on a USB key),
(2) something that I *know* (a passphrase).

This doesn't look too bad to me.

But maybe it's worth remembering hash algorithms are ignored with key=20
files in plain mode, so that the --hash=3Dsha512 is not effective and=20
actually equivalent to --hash=3Dplain in this case.

Best regards,
Quentin

Le 01/12/2014 13:49, Arno Wagner a =E9crit :
>
> This construction is redundant and does not provide any
> additional security as compared to passphrase alone,
> assuming that your passphrase is secure.
>
> If your passphrase is insecure, you should fix that
> instead.
>
> Arno
>
>
>
>
> On Mon, Dec 01, 2014 at 03:54:19 CET, 0x14@openmailbox.org wrote:
>> Hi there, is this construction secure? Assuming "keyfile" is a file
>> and "/dev/device" is a block device, both made with /dev/urandom.
>>
>> cryptsetup open --hash=3Dsha512 --cipher=3Daes-xts-plain64 --type=3Dplain
>> keyfile keyfile_tmp && cat /dev/mapper/keyfile_tmp | \
>> cryptsetup open --hash=3Dsha512 --cipher=3Daes-xts-plain64 --type=3Dplain
>> --key-file=3D- /dev/device cryptodevice && \
>> cryptsetup close keyfile_tmp && mount /dev/mapper/cryptodevice
>> /media/cryptodevice
>>
>> The goal is to use pass+keyfile to decrypt storage. I put it in a
>> script and it works as it should at a glance. Are there alternatives
>> or improvements? Stupid errors maybe?
>>
>> Thanks.