Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

LUKS: possible to have password AND keyfile?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
avx
Advocate
Advocate


Joined: 21 Jun 2004
Posts: 2152
PostPosted: Sun Oct 26, 2008 3:56 pm    Post subject: LUKS: possible to have password AND keyfile? Reply with quote
Hello, I'm wondering, if it is possible to have two-factor-authentification with LUKS, so that both a keyfile(on an external media) and a password are required to unlock/open an encrypted partition? Unfortunately, I haven't found something on this, yet, so maybe you can help.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23103
PostPosted: Sun Oct 26, 2008 5:09 pm    Post subject: Reply with quote
Theoretically, a password-protected keyfile stored on external media should do what you want. LUKS would not honor the password, so knowing only the password would be useless. The keyfile could not be decrypted without its password, so only having the external media would be useless.
Back to top
View user's profile Send private message
avx
Advocate
Advocate


Joined: 21 Jun 2004
Posts: 2152
PostPosted: Sun Oct 26, 2008 7:16 pm    Post subject: Reply with quote
Well, the problem with this is, that there would be still only one password/passphrase to break. I'm currently using a gpg-protected keyfile, but having yet another passphrase would be nice. Of course, I could split the keyfile in two, protect both parts with gpg and then require to passwords for decrypting, rebuilding the single keyfile into one and pass this to luks - that would be possible, but a little hackish.

So, if I understand correct, there is no official way to require both password and keyfile with luks?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23103
PostPosted: Tue Oct 28, 2008 2:45 am    Post subject: Reply with quote
ph030 wrote:
Well, the problem with this is, that there would be still only one password/passphrase to break.


Yes, but you never asked for two passwords. You asked for a password and a physical token. By storing the ciphertext on the token, a password without a token is useless. Without the token, it would not even be possible for an attacker to try to derive the password by brute force, since he needs the ciphertext to decrypt so that he knows when he has found the correct decryption key.

ph030 wrote:
So, if I understand correct, there is no official way to require both password and keyfile with luks?


I am not aware of a way to do so, but I have never researched it to confirm that it is impossible.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy