[arch-general] can't unlock a luks encrypted partition. (urgent).

[Heiko Baums]

Am Sat, 10 Oct 2009 03:09:14 +0300
schrieb Roman Kyrylych <roman.kyrylych at gmail.com>:

> I don't see why it's more secure.

Because your / partition where you have stored your passphrase as a
clear text in /etc/crypttab is unlocked, if your computer is running.
If you get hacked your passphrase can easily be read. If the key is on
the USB stick, the USB stick is unplugged and the computer gets hacked,
the passphrase and the key can't be read. Of course it is somewhere in
the RAM, but I don't know how hard it is to find it there, if the system
gets hacked online.

> And that's way it's much less secure,
> someone just takes your USB stick and logins.

First you should keep the USB stick save and shouldn't let it taken by
someone else. Second if you format the USB stick with e.g. ext3 and
write the keyfile with dd on a free place, then it looks like an empty
filesystem if it gets mounted. The keys can only be found by searching
the raw data with e.g. a hex editor. And then the person who has taken
your USB key must know that it is a key for your partitions.

Well, of course the offset can be found in the kernel line in menu.lst
on the unencrypted /boot partition. But this would imply that the person
who has stolen your computer and your USB stick(s) needs to know which
is the right stick. And he must know a bit about Linux and LUKS.

It's more likely that a hacker who hacks you online has Linux and LUKS
knowledge than someone who steals your computer and your USB stick
offline.

But, of course, nothing is 100% secure. And I guess it's a matter of
philosophy. It depends on where is the higher danger, offline or online.

Heiko