You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm weighing the pros and cons of passphrase versus keyfile key formats for use with ZFS native encryption. Knowing ZFS currently uses PBKDF2, I've been following issue #14762 with interest, as many sources consider that KDF to be insecure against a very determined attacker with access to GPUs. Now, I'll preface this with I'm neither a developer nor a cryptographer, so a lot of this is over my head.
According to the zfsprops manpage, passphrases must be "between 8 and 512 bytes long." So, that's a maximum 4,096 bits that can be stored as a passphrase. To me, that would at first sound like a real compelling reason to use a super long passphrase, as keyfiles are currently limited to 32 bytes in size.
However, according to discussion in the aforementioned issue, ZFS currently uses PKCS5_PBKDF2_HMAC_SHA1. The way that I understand it, any passphrase data longer than the hash function's block size is effectively lost. That is, since the current KDF uses SHA1 HMAC, it renders those 4,096 maximum theoretical bits of passphrase down to a 160-bit hash.
Purely from a cryptographic standpoint, this would lead me to believe a keyfile is the better choice, as then we have 256 bits of material instead of 160.
Am I correct in my thinking, or have I royally misunderstood how the KDF works?
If I'm correct, would it also be prudent to make a note in the docs that says there's currently no practical advantage to using passphrases greater than 20 bytes long?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I'm weighing the pros and cons of passphrase versus keyfile key formats for use with ZFS native encryption. Knowing ZFS currently uses PBKDF2, I've been following issue #14762 with interest, as many sources consider that KDF to be insecure against a very determined attacker with access to GPUs. Now, I'll preface this with I'm neither a developer nor a cryptographer, so a lot of this is over my head.
According to the zfsprops manpage, passphrases must be "between 8 and 512 bytes long." So, that's a maximum 4,096 bits that can be stored as a passphrase. To me, that would at first sound like a real compelling reason to use a super long passphrase, as keyfiles are currently limited to 32 bytes in size.
However, according to discussion in the aforementioned issue, ZFS currently uses
PKCS5_PBKDF2_HMAC_SHA1. The way that I understand it, any passphrase data longer than the hash function's block size is effectively lost. That is, since the current KDF uses SHA1 HMAC, it renders those 4,096 maximum theoretical bits of passphrase down to a 160-bit hash.Purely from a cryptographic standpoint, this would lead me to believe a keyfile is the better choice, as then we have 256 bits of material instead of 160.
Am I correct in my thinking, or have I royally misunderstood how the KDF works?
If I'm correct, would it also be prudent to make a note in the docs that says there's currently no practical advantage to using passphrases greater than 20 bytes long?
Beta Was this translation helpful? Give feedback.
All reactions