When using gpg4win with thunderbird and Enigmail i am wondering if there is a way to be able to copy and paste a longer password in? Trying to remember a 35 character password is hard without copy and pasting it. What do most people use when they want a very long password for there keys? I know on my mac i can do it but on linux with gpg4in i cant. Any suggestions?
I use modular passphrases, composed of shorter component. Some of the components are just passwords that I've used for many years, such as "973vc65" or "ajRP82ped". Others are longer, and represent the initial letters of memorable phrases. For example, "When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another" becomes "witcoheibnfoptdtpbwhctwa". To get long passphrases, I just concatenate the components, like words in sentences: "973vc65 witcoheibnfoptdtpbwhctwa ajRP82ped".
Alternatively use a password manager program like keypass it can generate long passwords and store them in an encrypted database.
The problem is getting them into passphrase prompts that don't allow pasting. And in the case of the LUKS prompt, there's no OS running to paste from.
The Yubikey has the ability to store a long static password in a slot, which you could concatenate with one you entered. Of course, that then leaves the securing of the key, but at least that's a different kind of threat (which threat might also be able to extract your remembered password with "persuasion" regardless).
With a LUKS prompt at boot, there is no "Ctrl + v". And actually, "Ctrl + v" does work with both the GnuPG and OpenSSH passphrase agent prompts. My bad for not checking I vaguely recall a passphrase dialog that didn't, but not which one But for what it's worth, of all the passphrases that I use, the LUKS ones are the longest. That's what keeps adversaries out.
I second the Yubikey. One way of securing it even more is to have the first 10 characters as something you know and use the Yubikey for the rest.
I have been interested in Yubico development SDK information relating to the use of the HMAC-SHA1 functionality in the context of Two factor authentication of whole disk encryption. The point being that the HMAC-SHA1 is at least protected in a secret, where the static password is clearly not! Possession of the key does not mean you know the HMAC-SHA1 secret, whereas with the static, that information is available to anyone with the key. But I have not seen any developments which use this for FDE.
Oops, I forgot about that Yubikey works for Bitlocker, TrueCrypt and LUKS: https://www.yubico.com/wp-content/u...ryption-with-Pre-Boot-Authentication-v1.2.pdf http://www.yubico.com/wp-content/uploads/2014/02/TrueCrypt-v1.3.pdf https://github.com/cornelinux/yubikey-luks
@mirimir, thanks for posting the pre-boot authentication document, that's the one I had in mind (and I've been experimenting with its suggestions for various local 2fa). But unfortunately, the implemented YK support for Bitlocker, TC and LUKS is all static password based, not HMAC-SHA1, which means that if the attacker also has your yubikey along with the disk/file, you've lost say half your entropy (assuming the attacker hasn't extracted the other half from you personally!). I would much prefer a successor to Truecrypt to support the HMAC-SHA1 version of 2fa using the mechanisms outlined in the first paper.
I'm rather surprised that nothing that supports HMAC-SHA1 on Yubikey with LUKS has developed. What's the problem? Is it that Yubikey is emulating a keyboard, but also one needs a keyboard to enter the challenge password? Could one maybe just use a USB splitter?
I'd very much like to see such a thing too - it may exist but be sitting in-house in various places. I'm not sure how Linux handles multiple HID, but I don't see there would be a problem there. There are Linux samples which use the OTP for PAM and SSH, but not so many examples for hmac generally. One of the other issues of course is that - as the first paper suggests for FDE - you ideally want a multi-user ability. But I'm not sure that LUKS provides for this - ah, I see it does - but of course would add to the complexity. And the code development is all low-level stuff.
