From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Tue, 7 Jul 2015 23:08:30 +0200 (CEST) Message-ID: <559C3FC1.3040108@riseup.net> Date: Tue, 07 Jul 2015 23:08:17 +0200 From: lyz MIME-Version: 1.0 References: <559C3771.2030705@riseup.net> <559C3C05.9040701@wintonian.org.uk> In-Reply-To: <559C3C05.9040701@wintonian.org.uk> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vEQriFqvjcwejrnDGTkjjePqINwJx4tLB" Subject: Re: [dm-crypt] Security concern: gpg keyfile vs passphrase List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: wintonian , dm-crypt@saout.de This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --vEQriFqvjcwejrnDGTkjjePqINwJx4tLB Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable The keyfile will be stored in the /boot partition. My question is if it's in a cryptographic way more secure, like if gpg encryption of a keyfile is more difficult to break rather than a dm-crypt encryption of a device, therefore it's logical to use a keyfile to encrypt the device and gpg to encrypt the keyfile. Thanks On 07/07/2015 10:52 PM, wintonian wrote: > A quick guess, >=20 > In this scenario you have the following:- >=20 > A, something physical - i.e. a keyfile. > plus > B, something known - i.e. a pass phrase. >=20 > Which equals something more secure >=20 > I guess there might be more to it than that, but I assume that's part o= f > it. >=20 > Regards > Robert >=20 > On 07/07/15 21:32, lyz wrote: >> Hi all, >> >> I'm encrypting my whole system under LUKS, and I've seen that in the >> wiki of Arch and Gentoo they suggest to use a keyfile and encrypt it >> with gpg. >> >> Why is more secure to encrypt a keyfile with a passphrase and then >> encrypt the device with the keyfile rather than encrypting the device >> directly with the passphrase? >> >> Against a brute force attack the passphrase is the same, so they shoul= d >> be equally secure, am I wrong? >> >> Thank you >> >> >> >> >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@saout.de >> http://www.saout.de/mailman/listinfo/dm-crypt >> >=20 --vEQriFqvjcwejrnDGTkjjePqINwJx4tLB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJVnD/IAAoJEIwPlE6REcw/jm0P/i0QwtLTYvw38SW1wnfcrJIe xOkdoCaiTQhTYmOW9z4wF7VMAWQ5rXRCoPO88v/FXWNPz0NU+oTHSlmuFiYEU93F 6LjkK/r2CAOGrUJayKvt3OjlSsaWX0abS7pYoPEqHomrKKaw2SMMNEjhFjZXGY0T JlZ45I4XpIfX5TK5mEqECpy2tXxK7vxcY+RPNAzbgWKgv3+GmyQfBA4xYxfDATv6 hKVvFkCg6q4aoYLg2fPrciTSi2hRSIT/UjhQJk2pnpiTWZD3icF3+PdmJdIohmpe GlQI4eeDjPb5/Mhf3/DtFxyiPpaVW4tf52gezXr8Ge8OGzVQjG8TUNWAiRGKu0L0 JXbdS1tOxtFWcyyQkq878yJbFEHndzyhEYHPbVcriae+D9bTcNVuqo0FaleqbRqF v0aOB/K5calYPR1a7zlnkxPRdf1/6M6TygtYUU6S57b1HV2aSIKym6FdceISQazf +UzgDFMvb86v8vMNbGSpoBCaeYceSJwpjuC9FeZC6zd6M86LaIM8pXOt3njY3+8I qzEWZPRs+8hd3NDFlfyauBNnplYhQSMr/NeWoUp1IQslTmLBhPSJhDlEfhK3LDcj s8s1kzvihquCRuOyZ5Jkx51Vyayxnvo2bgx3Ro0tzLtHNMcinfjrsJSwdUbL88SY Q2tFNxn/gsZuIo+zhw/M =zlvx -----END PGP SIGNATURE----- --vEQriFqvjcwejrnDGTkjjePqINwJx4tLB--