From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OFU5N-0007Ib-L2 for garchives@archives.gentoo.org; Fri, 21 May 2010 15:24:29 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1692CE07AE; Fri, 21 May 2010 20:24:13 +0000 (UTC) Received: from mx01.admin-box.com (mx01.admin-box.com [78.47.249.108]) by pigeon.gentoo.org (Postfix) with ESMTP id AE2E8E07AE for ; Fri, 21 May 2010 20:24:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mx01.admin-box.com (Postfix) with ESMTP id DA89534FFD51 for ; Fri, 21 May 2010 22:24:10 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx01.admin-box.com Received: from mx01.admin-box.com ([127.0.0.1]) by localhost (mx01.admin-box.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AV5eMHAy2OVJ for ; Fri, 21 May 2010 22:24:05 +0200 (CEST) Received: from maya.local (g231107206.adsl.alicedsl.de [92.231.107.206]) (Authenticated sender: daniel@troeder.de) by mx01.admin-box.com (Postfix) with ESMTPSA id A399934FFD4D for ; Fri, 21 May 2010 22:24:05 +0200 (CEST) Message-ID: <4BF6EBE5.8090908@admin-box.com> Date: Fri, 21 May 2010 22:24:05 +0200 From: Daniel Troeder User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100511 Thunderbird/3.0.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure References: <4BF108F3.1080304@xunil.at> <4BF299B4.2040306@xunil.at> <4BF2C6A7.6040607@xunil.at> In-Reply-To: X-Enigmail-Version: 1.0.1 OpenPGP: id=BB9D4887; url=http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1547210402FD450825201828" X-Archives-Salt: 2bfb4f50-e9ce-4ebb-9206-e26ed528f243 X-Archives-Hash: 259d1e3e8b7ed4ccac2718b5aed8fe12 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1547210402FD450825201828 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 05/18/2010 07:57 PM, Jan Engelhardt wrote: >=20 > On Tuesday 2010-05-18 18:56, Stefan G. Weichinger wrote: >> >>>> Do you know any howto where it is done "the right way"? >>> >>> The right and easy way is to just use the supplied pmt-ehd(8) tool, >>> which works both interactively and non-interactively, depending on >>> whether it's called with enough arguments or not, so there's somethin= g >>> for everybody's flavor. >>> It does not do LUKS yet as of pam_mount 2.2, though. Guess my >>> todo list gets longer.. >> >> :-) >> >> But given the fact that I store the key on the same hard-disk with the= >> shadowed user-pw I could also leave that openssl-part straight away, >> correct?? seems the same level of (in)security to me ... >=20 > Yes. The point of keyfiles is to be able to change the password on > a volume. >=20 > Without a keyfile, a crypto program would take the password, hash it > somehow, and you get your AES key. Changing the password means having > a different AES key, meaning decrypting the disk will yield a > different result. In other words, changing the password would require > at least reading the old data, reencrypting it and writing it again. > Takes time. >=20 > With a keyfile, you retain the same AES key all the time, and encrypt > the AES key itself - reencrypting the AES key is quick, as it's > only some xyz bits, not terabytes. That's not true for LUKS. This is one of the nice things about it: Multiple keys can be used on a volume, and it is possible to change the passwords in a safe way. (You have 8 "key slots", each can be used to decrypt the volume. To change a PW use a new slot, then remove the old one.) The trick here is that LUKS does by itself safely, what you are trying to do with the SSL-key in a hackish way (no offense). The key setup scheme is a modified TKS1 (nice Paper: http://clemens.endorphin.org/TKS1-draft.pdf - read section 2 "Two Level Encryption") which uses the keys in the key slots to encrypt a master key which is used to encrypt the volume. So the only key(s) you ever change is the key(s) encrypting the master key. LUKS really does by itself already, what you are doing :) So I'm pretty sure, that it is safer to use the LUKS key setup (that has been peer-reviewed by security experts), than a self written shell script= =2E Bye, Daniel --=20 PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=3D0xBB9D4887&op=3Dg= et # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 --------------enig1547210402FD450825201828 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv26+UACgkQg3+4tbudSIdY0wCeNQJFh52YyaVbC+jMoi178sF9 HX4Anjfp+Hsp1K4tC9B7u4anyEB5yoBC =SMU0 -----END PGP SIGNATURE----- --------------enig1547210402FD450825201828--