Hacker News new | past | comments | ask | show | jobs | submit login

The quote is correct. It does not say they're not using a KDF or salting, which you seem to read into it? The keyfile is the "something you have" and the password "something you know", so two-factor checks out, even if it's not a time-based token that people expect nowadays (though TOTP is essentially the same but on another device, extracting time-based short codes from the long key to make it convenient to type over). No matter how good your KDF, a weak or reused password can still be crackable, so a key file can make sense even if you use a salted KDF



How is this different from just a keyfile?


Someone with the keyfile but without the password cannot decrypt?


Do people usually store key material without encryption at rest?

You're not writing the naked bytes of the key directly in a file.

Anyway, authentication refers to communication between systems. That's not what this is. Decryption is not authentication (except perhaps of the decrypted plaintext, which is not what we are discussing).


> Do people usually store key material without encryption at rest?

As usual, depending on the threat model, yes, it can be very valid to store key material on a disk without encryption. Not everyone is Snowden.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: