Recently I have begun playing with whole disk encryption on my "servers" - really backup/archive data storage boxes & part time NAS. I have created the encrypted partitions with cryptsetup & luks (CentOS 7 and Ubuntu 16.04). I added a key file and the partitions will unlock and mount using entries in /etc/crypttab and /etc/fstab. I still have the original passphrase associated with the encrypted partitions in case the keyfile is lost or corrupted.
In order to step up my security game I could remove the passphrase and make the partitions rely only on the key file. This of course necessitates some redundant backup of the key file. Which got me thinking (always dangerous
)
To quote Basil Rathbone (as Sherlock Holmes in the movie
The Secret Weapon) "I have always believed in the theory first put forward by the American author Edgar Allen Poe that the best place to hide something is where everyone can see it." Which gave me the idea to use some binary file which I have on my computer and which I have backed up already. For example I might take the file FOXSWAP.COM 5.8k (part of FoxPro for DOS which I still use to run a little expense tracking application which I wrote in 1986), rename it and use it as the key file. If the key file was lost
I would know where to get a replacement copy from.
Which brings me to the question of this post... A machine language binary file would probably be just fine as a key. Most references I have read speak of using /dev/urandom and dd to create the file. This is in fact the approach I took for the initial key file. What about...
Suppose I take some pdf file - say my November 2002 bank statement, start at some offset known only to me and snag a few k of bytes - again only known by me? Provided I do not get a chunk of the file which is full of nulls, would this work just as well?
What about a couple of pages of a book or a historic document keyed into an ascii file? Would either of those be less effective than a "pure" binary file?
TIA,
Ken