> Am 24.10.2019 um 03:27 schrieb Aaron Mason <simplersolut...@gmail.com>:
>
> On Wed, Oct 23, 2019 at 7:45 PM Normen Wohner <nor...@wohner.eu> wrote:
>>
>> To enable two factor encryption?
>> One passcode is in his head the other on a key.
>> If either is missing the data on drive is unreadable.
>> I don’t know what is hard to understand about it.
>> In an ideal world you’d use the manual passcode
>> to decrypt the keydisk and then the keydisk
>> to decrypt the fs.
>> You should also not be able to tell
>> whether the keydisk was in fact encrypted,
>> the bootloader should try and on failure ask
>> for a passcode, not expect there to be some
>> 'RSA-2048' written at the end.
>> It’s hard for me to understand why nobody asked for this sooner.
>>
>
> You could just use a passphrase on the original disk to the same
> effect. No sense over-complicating things.
No, you could not, that way whoever has the keydisk has access to the files on
disk, otherwise you still need a password. Not sure what is unclear about this.
Maybe you think this is about login? It is actually about obfuscating the login
process and enabling 2FA.
Maybe you think live files are still encrypted when the OS runs but no user is
logged in. That is sadly not the case.
Regarding your second question, whatever part or level of the "bootloader"
normally checks for keydisk already has access to the full range of supported
en- and decryption mechanisms as it uses the key to do just that to the disk.
This would simply add a second decrypt trial.
