Some programs that use encryption to protect your data allow you to enter a file to be used as a keyfile as well as using a password to decrypt your data. This greatly increases security for the data because it would require an attacker not only to have the password required to decrypt (passwords which can be gained through a variety of attacks such as keyloggers, successfully attacks on another system which shares the same password, and a variety of other means), but also would require the attacker to have a copy of the file that you have set as the keyfile to decrypt your data.

In fact, by having used both the password and the keyfile, your data’s protection fits the definition of Two-Factor Authentication(rsa.com), which is a great increase in the overall security from single factor authentication for the previously mentioned reasons.

I currently use two programs that allow for both a password and keyfiles, the first being Keepass, which a have previously written about, and TrueCrypt, which I recently wrote about.

TrueCrypt allows you to use multiple keyfiles, which suggests that instead of using unique files, you could use freely available standardized files in a combination that only you know (although I suspect that would officially place it back in the realm of single-factor authentication by definition), but also would allow you to keep a stash of unique files which you choose from to use as keyfiles. By keeping this choice of files large, you make it nearly impossible for the proper combination to be guessed, should the files fall into the hands of the same attacker who has you encrypted data. You can also create randomly generated keyfiles with TrueCrypt.

One method that would ensure that the content encrypted by TrueCrypt stays secure would be to place the keyfiles used onto a separate USB drive, and then securely remove the original copies of the file with a program like wipe. If you then keep that USB drive with you at all times and never allow the files to be removed from it (which for the ultra-security conscious means never plugging it into someone else’s computer), then you have the only means to decrypt in existence.

Sadly, Keepass only allows for one keyfile to be used. This implies you should only use a unique file, as an attacker could easily gain access to any freely available file you might use. Fortunately, Keepass has a utility for generating keyfiles built in, just as TrueCrypt does.

Keepassdroid, the Android version of Keepass that I wrote about some time ago also can use a keyfile. However, I noticed that it is unable to access any filenames with a path that includes a space, so it has limitations that the full version of Keepass does not.