On Tuesday 2010-05-18 18:56, Stefan G. Weichinger wrote: > >>> Do you know any howto where it is done "the right way"? >> >> The right and easy way is to just use the supplied pmt-ehd(8) tool, >> which works both interactively and non-interactively, depending on >> whether it's called with enough arguments or not, so there's something >> for everybody's flavor. >> It does not do LUKS yet as of pam_mount 2.2, though. Guess my >> todo list gets longer.. > >:-) > >But given the fact that I store the key on the same hard-disk with the >shadowed user-pw I could also leave that openssl-part straight away, >correct?? seems the same level of (in)security to me ...
Yes. The point of keyfiles is to be able to change the password on a volume. Without a keyfile, a crypto program would take the password, hash it somehow, and you get your AES key. Changing the password means having a different AES key, meaning decrypting the disk will yield a different result. In other words, changing the password would require at least reading the old data, reencrypting it and writing it again. Takes time. With a keyfile, you retain the same AES key all the time, and encrypt the AES key itself - reencrypting the AES key is quick, as it's only some xyz bits, not terabytes.