Pupeno wrote:
I use the dm-crypt from the kernel....
I've read that it is unsecure and I also read that it is not yet vory well
suported.
Dm-crypt is fairly well supported, since it is in the kernel, but I find
it to be harder to setup and less 'flexible' than loop-AES (the changing
passphrase thing, for example).
It provides rougly the equivalent security as loop-AES in "single-key"
mode (where a single key is used to encrypt every block). loop-AES also
supports multi-key mode, where 64 different keys are used to encrypt the
blocks. Multi-key makes certain kinds of attacks (specifically,
watermark) more difficult, but is slower.
However, I seem to recall reading somewhere in the last couple of weeks
that dm-crypt was also getting multi-key support...maybe in the
mm-kernel, or for 2.6.13...
Now, I doubt that most people actually _need_ the extra security of
multi-key encryption. Personally I run loop-AES in single-key mode
because it is faster than multi-key. Plus someone willing to go through
the effort of cracking multi-key encryption would find it much easier to
simply make a credible physical threat, and I will happily give them my
password!! :-)
I know I don't need a key, but I do want a key (stored in a remobable modia)
encripted with a passphrase I will be able to change, or best, my wife can
have the key protected with a different passphrase than I do.
Beyond that, encripting with a key is much better than doing that with a
passphrase because the passphrase can be cracked (dictionary attack) while
the key-encripted that can't.
Well, technically, anything can be cracked given enough time and
computing power.
For using different passwords, this is possible. You would need to
encrypt the same key file with gpg to two different .gpg files....your
wife can use one, and you can use the other. If the key files are
stored on separate pieces of removable media, then you each have your
own "keys" to the system.
-Richard
--
[email protected] mailing list
