Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
openssl vs gnupg in initrd for encrypting LUKS-keyfile
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
meyerm
Veteran
Veteran


Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany

PostPosted: Mon Nov 30, 2009 9:25 am    Post subject: openssl vs gnupg in initrd for encrypting LUKS-keyfile Reply with quote

Hi,

I'd like to encrypt my root partition using a keyfile stored on an USB-key. This keyfile shall be protected by a password. I already found a Gentoo-Bug where a nice guy patched genkernel to support gnupg to do exactly this.

Now I'm wondering myself what's the main reason for using gnupg instead of f.ex. openssl. Both are capable to encrypt files with a password - in this scenario I won't use any certificates etc. So this is a non-issue. OpenSSL on the other hand should be available on almost every linux-system so it'd be easy to access the keyfile. You are more likely to have to install GnuPG on you rescue system.

So: what are the (dis-)advantages of using GnuPG over OpenSSL in this case?

Thanks,
M


Last edited by meyerm on Tue Dec 01, 2009 10:55 am; edited 1 time in total
Back to top
View user's profile Send private message
Skyr
n00b
n00b


Joined: 16 Mar 2005
Posts: 8

PostPosted: Mon Nov 30, 2009 10:38 pm    Post subject: Reply with quote

Basically speaking, if both openssl and gnupg do everything right(tm), it would make no difference.
gpg specializes in encryption and storage of messages (avoiding any pitfalls); openssl is more like a swiss army knife, offering the very basic cryptographic operations as command line. I assume that you thought about using something like
Code:
openssl aes-256-cbc -e ...

If you try to encrypt the same data with the same passphrase twice, openssl will give you the same output for each try. gpg automatically adds some salt, so the results will be different (but in this case, the "data" is some white noise generated by a good RNG - so this is no real cryptographic advantage). The data format of gpg should also allow the encryption of the same data with several different keys (might be interesting for data recovery, although you could achieve the same effect with LUKS).
On Gentoo, using gpg is especially easy because you need a static build of your encryption tool for the initrd - and gpg has a use flag for that (which openssl hasn't) ;)

So, in the end, if you do everything correct, it's more or less a matter of taste.
Back to top
View user's profile Send private message
meyerm
Veteran
Veteran


Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany

PostPosted: Wed Dec 02, 2009 3:41 pm    Post subject: Reply with quote

Thank you for answering.

Skyr wrote:
If you try to encrypt the same data with the same passphrase twice, openssl will give you the same output for each try. gpg automatically adds some salt, so the results will be different

I think openssl then changed the behaviour some time ago. Since when Iuse it, the key gets salted. Even though there is still an option called "-salt". So I guess the default was once to not salt:
Code:
[~]
meyerm@yavin :-) $ openssl enc -aes-256-cbc -p -in testfile -out testfile.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
salt=38F509E0897FF5B3
key=A716E9BEA658F6D26F4B225E060B855E4155DC04DE176881B41646669B5A2A59
iv =7CDEDACE4A88B98D8ADF2C48C69E69B9
[~]
meyerm@yavin :-) $ openssl enc -aes-256-cbc -p -in testfile -out testfile.enc2
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
salt=1B40F487682E5260
key=5D6690EC396697F31A68DE89F8FD138A0FD929D7FAB7C78578E97B1FDB4F3CE6
iv =2FD557AF3AF93C178F4E7840BEDD9D53
[~]
meyerm@yavin :-) $ diff testfile.enc testfile.enc2
1c1
< Salted__8�    �����_J���i��t��B��
\ No newline at end of file
---
> Salted__��h.R`<s�N�ﴚU��TN��W
\ No newline at end of file
[~]
meyerm@yavin :-( $



Skyr wrote:
On Gentoo, using gpg is especially easy because you need a static build of your encryption tool for the initrd - and gpg has a use flag for that (which openssl hasn't) ;)


Even though I'd prefer OpenSSL because of its availability on most systems I fully agree with you on this - having a binary built by portage without having to do anything manually is worth a lot :-)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum