Re: Make gpg-keyfile for already encrypted partition

[Thomas "Müller" <etwcn@xxxxxxxxx>]

--- Peter Grandi <pg_lcry@xxxxxxxxxxxxxxxxxxx> wrote:
> I'd like to learn why you think that to remove the
> passphrase from your
> memory and to "put the passphrase in a gpg keyfile"
> instead might
> conceivably result in "better security".

If someone manages to hack my box, s/he could easily
put install a key logger and sniff the passphrase.
With the key file solution, the hacker can only get
the passphrase that decodes the key file. But, as I
would put the file on an usb memory stick, which is
only shortly plugged-in while mounting the partition,
s/he would have some additional effort in order to
also get the file. A simple key logger does not
suffice anymore then.

> Now, if you intend instead to create a new random
private key, and use
> that instead of the passphrase as the cipher key,
and reencrypt your
> partition, presumably you can use 'aespipe' twice do
do that.

I never thought a re-encryption of a parition would be
possible. Where can I find any addidtional information
on that subject? I guess this includes some signifcant
risk of loosing all the data on the disk, in case
something goes wrong.

>  Arguably switching from a passphrase to a random
private key in a GPG
>  file might slightly improve ``security'' whatever
that is, in some
>  vaguely plausible scenarios, even if I am a bit
sceptical.

The AES-loop readme contains some information on the
differences in security for the various encryption
options. It sounds quite plausible to me.

Thomas


		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/