[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-user
Subject:    Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
From:       Dale <rdalek1967 () gmail ! com>
Date:       2023-09-19 11:13:40
Message-ID: 336f85c5-2c64-5ebf-2dd5-6944043bc2ce () gmail ! com
[Download RAW message or body]

Hmmmm,

For some reason, I didn't get Michael's email.  I see him being quoted
but don't have his original.  I wonder what is up with that.  O-o


Rich Freeman wrote:
> On Tue, Sep 19, 2023 at 4:26 AM Michael <confabulate@kintzios.com> wrote:
>> On Tuesday, 19 September 2023 06:36:13 BST Dale wrote:
>>> Howdy,
>>>
>> A strong
>> password, like a strong door lock, buys you time.  Hence the general
>> recommendation to change your passwords frequently.
> While that can help on websites, it is of no use for full disk
> encryption passwords - at least not without jumping through some big
> hoops.
>
> In order to crack your LUKS password somebody obviously needs to be
> able to read the encrypted contents of your disk.  They cannot begin
> cracking it until they have a copy of the LUKS headers.  However, once
> they do have it, they can make a copy and crack it at their leisure.
> If they manage to crack it, then it will give them the volume key.  At
> that point if they were able to make a full copy of your disk they can
> read whatever was on it at the time.  If they can make a fresh copy of
> your disk then changing the passphrase will not change the volume key,
> and so they'll be able to read what is currently on your disk.
>
> Changing the volume key would defeat this, but requires running
> cryptsetup-reencrypt which will take considerable time/CPU, though it
> sounds like it can be done online.
>


Let's jump into a hypothetical here.  Let's say I'm a nasty terrorist or
some other really evil dude.  Let's say I have passwords are that really
good.  Let's say around 20 characters and a really nice mix of
characters.  If some gov't agency got my hard drive, how long would it
take for them to crack it?  I know when Snowden released all that info,
there was some changes to encryption.  Still, do they have the ability
to crack them without much trouble?  Is there something better to use
than what I'm using now?

I might add, when I configured my three drive setup, I sort of did it a
different way.  I still used cryptsetup but I used it later in the
process.  I also made sure to put the luks bit in.  That way I can
change passwords if needed.  I found a new howto and it seems to end the
same way but it's done in layers.  Luks first and then encryption but
different somehow.  Mostly, I can change passwords on it.  I don't
really get the whole thing, yet.  If I read it enough, my light bulb
will come on.  o_O 


>
>>> Also, I use  cryptsetup luksFormat -s 512 ... to encrypt things.  Is
>>> that 512 a good number?  Can it be something different?  I'd think since
>>> it is needed as a option, it can have different values and encrypt
>>> stronger or weaker.  Is that the case?  I've tried to find out but it
>>> seems everyone uses 512.  If that is the only value, why make it a
>>> option?  I figure it can have other values but how does that work?
> You can use a different size, but 512b is the recommended value for
> the default cipher.  It is also the default I believe, so there isn't
> much point in passing it.  Actually, I'd consider passing that
> parameter harmful unless you also specify the cipher.  If in the
> future the default changes to some other cipher, perhaps 512b will no
> longer be appropriate, and you'll weaken it by specifying one and not
> the other.
>
> If you just want to trust the defaults, then trust the defaults.
>
> As to why 512b is the recommendation, that seems like it would require
> a LOT more reading.  Apparently it is in an IEEE standard and I'd need
> to grok a lot more crypto to appreciate it.
>

Well, I was wondering if it could be set to 1024 and it make the
encryption stronger or something.  I've searched but no one explains
what that number really does other than set something.  Since that is
the default, I guess I can leave that out of my command.  Save me some
typing.  Anyway, 512 it is. 

Dale

:-)  :-) 

[prev in list] [next in list] [prev in thread] [next in thread]