-   Slackware (
-   -   A pondering about Encrypting the Keycard for a LUKS/LVM partition. (

lumak 08-15-2010 02:51 PM

A pondering about Encrypting the Keycard for a LUKS/LVM partition.
So I was wondering about the dilemma of how to encrypt the password file on a key card to unlock your harddrive without having to enter any password. I came to the conclusion that that the scripts could do this without storing any passwords in plane text them self.

Have a few extra steps to the scripts that would:
1. Read the UUID of any disks coming in.
2. Attempt to use that ID to decrypt a password file stored in the initrd.
3. Use the decrypted password file to unlock the the keycard partition.
4. THEN use the password files on the keycard to decrypt the main partition and boot the system.

However, if somebody stole your key card and didn't know what the unencrypted information was, then it's harmless for them to have it anyway. And if they did know, you wouldn't be any better off with it being encrypted because they probably can gain access to your computer anyway; leaving them to just pop the key card in and automatically decrypt the drive.

I suppose encrypting the keycard would give you extra assurance that the information would be much harder to recover if you destroyed the key card in a hurry.

So would this extra security step even be worth it?

I guess the most secure thing would be to only have a password and type it in every time... unless you are concerned about the aliens/government stealing that from your brain which would probably mean they wouldn't need your password anyway.

GazL 08-15-2010 03:09 PM


lumak 08-15-2010 03:13 PM

hehe I saw that one before... Which is why you go with no passwords that you actually know and always use a key file... Assuming you have time to destroy the keycard...

GazL 08-15-2010 03:15 PM

Using a keyfile is a bit like the key to your front door. If you lose it, and someone finds it, aslong as they don't know/or can't guess what it's for you have little to worry about.

Going back to your idea: I don't think encrypting the keyfile buys you a great deal, especially if the decryption is going to be automated in some way.

All times are GMT -5. The time now is 12:25 AM.