Why would you go out of your way to generate and save a SHA256 hash digest for every photo, and then test all of them against an encrypted ZFS dataset, and you’re not even sure this method was used, and if this method was used, they might have used an MP3 song instead of a photo…
You don’t even know if there’s a puzzle to solve.
EDIT: I’ll even make this easy for you.
One of my encrypted containers (not ZFS, but LUKS), is using a hash from an image that can be retrieved with a simple Google search. I’m not joking. There’s an image out there that I can find using Google. When I download the image and run a hash algorithm against it, I can use that to unlock my LUKS container.
How do you know that the image arrived bit-perfect — that it wasn’t transcoded or downsampled, and no metadata was anonymized or otherwise updated? If not in transit, then by the recipient’s arbitrary photo management system?
And now you are hiding the details. Good job! But you should have done that from the beginning.
No. And I am again saying to everyone reading this topic:
If you ever commit such kinds of security strategies, you should NEVER talk about it publicly! You should not even talk about it privately unless you are ready to hand off your keys to the person you talk to.
Well, then edit your original post. Advise people to always say at the end that they may lie about using their images as keys. TBH, it looks like a cheap excuse, which could be refuted by hashing your entire photo library.
You potentially would ask these very questions to the enforcers. Who would have your entire truenas forums correspondence. And in some cases your entire search history (which can statistically reveal some “unusual” tendency for some public pictures).
You can start any time you wish. I won’t stop you.
Meanwhile, someone with a hammer has a better chance at forcing me to decrypt my files.
Update this thread when you’re done hashing all my photos (and music too?), and let us know the results of decrypting my encrypted files, which might not even exist.
I think that “my data is secure from whoever has physical access to my device (and knows that I am winnielinnie)” is a bit different from “my data is secure from the random guy on the truenas forum”.
Of course. But in your case they probably don’t even have to buy a hammer. Unless they want to…
From some POV, it can be considered as a plus. OTOH, being aware that your data was compromised (because you were forced to decrypt it) can be preferable to not knowing it was compromised at all.
I have to wonder if someone will save their photo to google photos or something and it compresses it, or doesn’t hold the original somehow then whoops.
They don’t even have it saved in a key manager or wallet.
Now what?
The only difference is that with this method, they can regenerate their key with an important file (photo, song, video, document, whatever) that is only known to them.
That’s why there are no true cons to this approach.
I’m not trying to be rude, but I think sometimes we miss the entire point of something when we overthink things.
In other words, no different than if they had generated a random keystring without using a photo.
