I would like to see support for LUKS multiple keys/passphrases. Specifically I have two senarios: 1) Needle in the haystack. I would like to place a directory on the boot partition with a few hundred key-file. At login I am prompted for my passphrase, which is currently how Fedora works. After I enter my passphrase I am prompted for my key-file(s), a simple text box that I can enter a comma delimited list of key-files to use. E.G. 5, 23, 192 An important note, in order for the 1st senario to work any metadata about when the files were access must be scrubbed. If I have a hundred key-file but three of them show the same last accessed date then it would defeat the purpose. 2) I would like to be able to put in a usb key with key-files on it. And as with senario 1 I would be prompted for a comma delimited list of key-files to use. How I would envision this working is the boot-loader would search all availalble drives for a specific directory name e.g. luks-keys. In this directory would be the files it use for keys. sda1 -luks-keys(dir) --1 (key-file just named "1") --key3.txt (key-files named anything the user wishes) --5 --23 --192 sdb1 -luks-keys(dir) --2 --3 --44 sdb3 -luks-keys(dir) --22 --33 --444
Just append the list of key-files to your passphrase instead, e.g. if you used the passphrase "this is my passphrase" use instead "this is my passphrase 5, 23, 192". Then you get imho the same effect wrt. to the work needed to brute force the passphrase. If you also want some keyfile on usb support in /etc/crypttab, please open a bug report against the package initscripts.