LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-15-2017, 04:19 PM   #1
CWLang
LQ Newbie
 
Registered: Mar 2017
Posts: 5

Rep: Reputation: Disabled
Which is more secure? A passphrase or key file for cryptsetup?


Hello,

I'm going to use cryptsetup on a usb stick. I've done this before and always use a passphrase. I wasn't aware that a key file can be used as well. So, which is better? Or is it possible to use both to authenticate?

thanks
 
Old 03-15-2017, 04:31 PM   #2
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175
I think it really depends on how you plan to use the USB stick. If you're using it for transport between known computers, each one of which would be expected to have a copy of the key-file installed, then this would be more secure than a passphrase. But you can't "type in" a key.

If your objective is simply to make a USB "useless if stolen, but still relatively easy to use," a passphrase is probably good enough.
 
Old 03-15-2017, 05:30 PM   #3
CWLang
LQ Newbie
 
Registered: Mar 2017
Posts: 5

Original Poster
Rep: Reputation: Disabled
I think I'll stick with the passphrase as a better option for transport of usb sticks. Besides, if I use a key file I would need an extra usb stick to hold the key file. Thanks sundialsvcs...
 
Old 03-16-2017, 09:44 AM   #4
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175
/me nods ...

Yes, this seems to me to best-suit your use case.

To illustrate the opposing case: I once did a project for an insurance company who wanted to be able to put subscriber medical-records onto a USB stick that the patient could then carry to one of their health-care centers ... recently-acquired centers in small towns that (at that time) were not fully integrated into their corporate system. It was crucial, for legal reasons, that the information must be "HIPAA-compliant" secure.

The objective was reached by using a certificate-encrypted filesystem, installing an encrypted copy of the certificate on the computers at the clinic. When the stick was inserted into one of those computers, the information could be read. But a "passphrase" did not exist: only the intended computers could retrieve the data, and we could prove this to any government security-compliance auditor.

(The insurance company's attorneys carefully scrutinized and then approved our plan, which was fully understood to be an interim measure.)

In time, the company upgraded their systems in all of their clinics so that medical records can now be securely retrieved from their secure corporate databases just by scanning a QR-code on the membership card. (This just contains a membership number and an extra "nonce.") They stopped using the sticks. But they didn't have to attempt to get people to turn the sticks in, because they remained confident – and, it was true – that the information they still contained remained secure. (Instead, they invited people to simply re-format them and use them as they pleased.)

The way we did it, you couldn't even begin to access the content of the drive: every sector was enciphered using a random key that was thousands of bits long. If you stuck the thing into an ordinary computer, there was no readable file system at all. (Windows would "helpfully" offer to format it for you, and some customers did. ) But the bottom line was that the information which could be easily read at a clinic could not be accessed otherwise – even to this day – and we could prove it.

Last edited by sundialsvcs; 03-16-2017 at 11:26 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to make a key file for use with cryptsetup & luks taylorkh Linux - Security 5 09-01-2016 09:12 AM
cryptsetup - canīt open luks parittion - "no key available with this passphrase" ts0 Linux - Software 1 06-08-2013 11:46 AM
cryptsetup luks key file sam42 Linux - Security 1 09-22-2011 01:11 AM
cryptsetup won't open crypted fs on raid5 with known luks passphrase luboss Linux - Security 3 11-13-2008 01:55 PM
cryptsetup with passphrase file on USB stick titopoquito Slackware 7 10-30-2007 06:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration