LUKS with USB key authentication, how secure is it?

linux usb usb-drive luks dm-crypt
5,239

It depends on your point of view. It's more secure since keyfiles usually are truly random while passphrases tend to be short and weak.

Then again a passphrase, on its own, takes about $5 to break, either using a keylogger dongle or modified bootloader/initramfs or the infamous XKCD decryption wrench. Same is true for keyfiles if it's only that file on the USB stick, while bootloader/initramfs is unprotected on HDD.

The USB key on the other hand, gives anyone access - if you left it plugged in instead of carrying it on your person at all times. Anyone can copy an unattended USB stick quickly and easily...

I do both... a USB key which contains bootloader, kernel, initramfs with LUKS-encrypted keyfiles which requires a passphrase to be accessed. So you need both key and passphrase to unlock. Not sure if you can call this a two factor authentication - it's about the limit of what I was willing to do while keeping things practical. (Bootable USB stick is also useful for carrying a dozen LiveCDs around).

What's your threat model anyway, did you even think about it?

If you let me move into your house, do you want me to be able to access your data with little to no effort?

If you died tomorrow, do you want your relatives to be able decrypt your stuff?

With USB key that does not take a passphrase, it would be possible - and desireable for those family photos only you have a copy of...

I have a server that decrypts itself on bootup [using hardware fingerprints such as cpu, ram, mac address, ...], no interaction at all necessary... threat model here is that someone might remove the drive and put it into another customer's box, or stuff like that.

Share:
5,239

Related videos on Youtube

Mario Kamenjak
Author by

Mario Kamenjak

Updated on September 18, 2022

Comments

  • Mario Kamenjak
    Mario Kamenjak over 1 year

    I am thinking of creating a LUKS encryption by using a USB key instead of a passphrase to unlock my hard drive.

    However some people told me that using a USB key for authentication is less secure than a passphrase. My question is: How is it less secure? And I am thinking about a scenario where I use said USB key only on my own devices and in this scenario my USB key is never stolen.

    I know I could go even further and set up a two factor authentication but that is not what I am asking about.

  • Mario Kamenjak
    Mario Kamenjak almost 7 years
    "What's your threat model anyway, did you even think about it?" I am doing this just as a learning experience. "If you let me move into your house, do you want me to be able to access your data with little to no effort?" I am the only user of my device. So, no. Also I plan to put the USB on my keyring with my very expensive apartment key. So I will have the USB stick always with me. I may make a backup key stashed away in a very hidden place. "If you died tomorrow, do you want your relatives to be able decrypt your stuff?"
  • frostschutz
    frostschutz almost 7 years
    Regarding backup key, you might consider a backup passphrase too. LUKS supports up to 8 different phrases/keys.
  • Gilles 'SO- stop being evil'
    Gilles 'SO- stop being evil' almost 7 years
    A passphrase takes more than $5 to break. You can get a wrench for $5 but even cheap goons cost more than that. Chamber maid attacks can be dirt cheap but they require physical access multiple times, which is a far more advanced threat than device theft.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to avoid powering down certain USB devices when a machine is suspended
dm-crypt+luks: Can I have a separate header without storing it on the luks encrypted device?
how to execute a script every time any USB get mounted
How to remove a USB drive without worrying if its been unmounted?
Best practice to backup a LUKS encrypted device
How to reconnect a logically disconnected USB device?
How to re-mount a USB stick after unmounting from Nautilus without disconnecting it?
LUKS on Ubuntu 16.04 : unknown filesystem type 'crypto_LUKS'
Are there open source Linux drivers for the Panda Wifi USB adapter?
Determine if a usb is mounted using lsusb data