it might be nice to have a way to have multiple methods that could decrypt
the volume independently, e.g. to have a password/keyfile/security token or
whatever for "general use", and a "backup key" of sorts if anything fails.
in bitlocker for example you have the ability to have several different
encryption methods but near-always you have a 48-digit recovery key for
e.g. if the TPM fails. in LUKS you also have keyslots you can basically
fill with whatever your imagination (and the one of the programmers)
desires.
would be fairly neat if our favorite cross platform disk encryption would
have something like that too.
To implement this functionality, you can utilize the existing file header. The principle is to generate a backup header after password verification, and then use this backup header for recovery in case of forgetting (optionally with password or in plaintext).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
it might be nice to have a way to have multiple methods that could decrypt
the volume independently, e.g. to have a password/keyfile/security token or
whatever for "general use", and a "backup key" of sorts if anything fails.
in bitlocker for example you have the ability to have several different
encryption methods but near-always you have a 48-digit recovery key for
e.g. if the TPM fails. in LUKS you also have keyslots you can basically
fill with whatever your imagination (and the one of the programmers)
desires.
would be fairly neat if our favorite cross platform disk encryption would
have something like that too.
To implement this functionality, you can utilize the existing file header. The principle is to generate a backup header after password verification, and then use this backup header for recovery in case of forgetting (optionally with password or in plaintext).