asked 2020-04-06 18:10:00 +0200
hello,
is it possible to set different security codes for device (/home) encryption and for the normal device lock?
A long one with e.g. 20 numbers for encryption and a short one for the device lock (e.g. 5-6 numbers) ?
for me its not clear written in the how-to.
ahoi
answered 2020-04-07 10:51:07 +0200
Sailfish OS 3.3.0: the security code is used both for unlocking the device lock and for unlocking the encryption of user data.
This was clarified to https://jolla.zendesk.com/hc/en-us/articles/360011115540.
your clarification was clear to me, however I think the request for different codes is still valid.
As @juiceme pointed out a 5 digit code is very weak for LUKS encryption as brute force attacks can quickly been executed in recovery console from a script. There's no limit for failed trials so if you're interested in securing you home partition you're strongly advised to use a huge number of digits, especially an attacker knows that the key only contains numbers. If this is only required at login I think users may accept larger codes than for 'normal' security code to unlock the screen.
On the other hand a very long security code is not practical for 'normal' screen unlock, as this will be done plenty of times. On the other hand a 5-digit code on the UI is not as crucial as we have a counter for failed attempts. So brute force via UI is limited by that counter.
As we have different levels of protection and sensitivity and different attack vectors I don't think it's wise to have an identical code
jollajo ( 2020-04-07 12:30:49 +0200 )editThanks @jollajo, you summarized my thoughts clearly.
I would even go as far as proposing that the luks unlock password dialog be changed so that it would accept alphanumericals, and be possible to use a proper password sentence. (like on my fedora laptop I use a sentence of 47 characters to unlock luks)
As this only needs to be input once per boot it is not a big hindurance to anyone. The device unlock can remain as it is, a minmum 5-digit pincode.
juiceme ( 2020-04-07 13:45:36 +0200 )editAsked: 2020-04-06 18:10:00 +0200
Seen: 243 times
Last updated: Apr 07 '20
That'd be a ood thing to have, if the security code itself is used as the luks key. (I am not sure if that is the case, or is there a mechanism that'd somehow lengthen the key based on some device property? And even though ther would be, what would stop an attacker using the same property to salt the code and obtain the longer code...?)
As the minimum secureity code length is 5 digits, I assume many people use just the 5 digits as the code and do not create a longer code. 5 digits makes up just 100000 combinations it can very quickly opened with a brute-frce attack.
juiceme ( 2020-04-06 21:22:13 +0200 )edit