Password and Key File[1]: Something you know and something you have
Two-factor authentication (2FA) or multi-factor authentication (MFA) has long been used by bank cards (knowledge: PIN, possession: card) and is also used by some web applications. And it also plays a (minor) role in encryption: The meanwhile discontinued program TrueCrypt, like its successor VeraCrypt, allowed the use of keyfiles in addition to passwords.
The Weakness of Passwords and the Strength of the Second Factor
If only the passwords were good enough, the encryption would be pretty secure. Unfortunately, passwords are often very bad and almost never as good as a randomly generated key. They usually represent the weakest link in the encryption.
Key derivation functions reduce this weakness, but they do not eliminate it.
If no outdated encryption algorithm is used, an attack on the key is practically impossible, but attacking a password by a dictionary attack is always promising.
A random value of sufficient length, which is required for decryption, makes the scheme invulnerable to dictionary attacks.
Key Files for PEAs
You have the choice of either generating a file with random numbers (this is the recommended option) or selecting a file from the file system. A generated key file is 128 bytes in size.
No matter which file you have chosen, a Blake2b hash value of this file is calculated and combined with the derived password via HKDF scheme.
Usage
Be careful never to modify or delete the key file. It is a good idea to keep a copy in a safe place.
It is recommended to use generated key files. Whether other files contain enough entropy to be usable as key files is not always easy to decide. Generated key files are created with pseudo-random generators. They are small, but have sufficient entropy in any case.
If you choose another file anyway: Choose a file with a compressed format rather than a file, such as a text file, that is typically modified: PNG images, OGG music files...
It really matters where you store this file. If you store it on an USB stick that you insert before starting the PEA, then only you as the holder of the stick can decrypt the data.
If the key file is stored on the same device as the PEA, then it still protects the data that are stored in the cloud. But when the device is accessed, the additional protection goes way down.
If you have selected the "Default key file" option, the file will be processed automatically if it is accessible. Otherwise, you must select the file each time you start the PEA. In the vast majority of cases, selecting the file manually does not provide much security benefit.
Other programs using key files
There is no standard for the use of key files, but some practices have more or less become established.
Besides some closed source programs, whose statements can hardly be verified, the disk encryption software VeraCrypt, the Windows disk encryption software DiskCryptor, the password manager KeePass and the command line file encryption software Kryptor offer the use of key files.
All these programs can generate key files as well as use any kind of files. The (default) length of the generated key files differs not much (KeePass: 32 bytes, VeraCrypt, DiskCryptor and Kryptor: 64 bytes). And all these programs use key files only optionally.
VeraCrypt
Helpful links about the usage of key files in VeraCrypt:VeraCrypt uses a somewhat strange function to process keyfiles. This was probably taken over from its predecessor TrueCrypt and uses a byte pool and the hash function CRC-32 to process the first 1024 KB of a key file. The processing is unproblematic despite the insecure CRC-32 function, because it is only about reading the file. Because this scheme is based on byte-wise additions, several key files can be processed in any order.
Key files are not supported for system encryption. Accessing files before the system starts would be quite tricky...
It is recommended to use generated files or at least those with more expected entropy (.mp3, .jpg, .zip...).
DiskCryptor
Helpful links about the usage of key files in Kryptor:DiskCryptor has been under further development since 2020 after a long break. The documentation is not that detailed, so the only thing left to do is to look into the source code. The information here is therefore without guarantee.
DiskCryptor uses generated keyfiles of length 64 bytes. The key files are hashed with SHA-512 and the hash value is mixed with the password by addition to be used for key derivation (PBKDF2).
KeePass
Helpful links about the usage of key files in KeePass:KeePass recommends the use of generated keyfiles in XML format, which allows a check for file corruptions and an integrity check. But 32-byte files or files with 64 hexadecimal characters can also drectly be read in as keys. Other files are hashed with SHA-256.
A key file can be used instead of a password, or in addition to a password.
Kryptor
Helpful links about the usage of key files in Kryptor:In Kryptor, in addition to the password and a keyfile, you can also use an asymmetric key for file encryption.
It is to be welcomed that not only (partially somewhat outdated) standards are adopted: For the application suitable algorithms like Blake2b and Argon2 are used.
If the keyfile is used in addition to the password: The file is hashed with Blake2b and the hash value is entered as the optional "key" of the key derivation function next to the password. Fortunately, the Argon2 function has a dedicated parameter for such cases. If the key file is used alone, the hash value acts as input to Argon2. This scheme is in place at least for version 3.
[1] Key file often refers to files containing secret keys for public key cryptosystems. These are often protected by a password. However, here we mean files that add entropy to passwords or even replace passwords.