From: Uwe Menges <uwe.menges@web.de>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] LUKS user verification on OpenSUSE 11.2
Date: Tue, 17 Nov 2009 17:38:41 +0100 [thread overview]
Message-ID: <4B02D191.3040808@web.de> (raw)
In-Reply-To: <7c190390911170122w67dec8d9r63ef9cdc996e0619@mail.gmail.com>
Peter Maffay wrote:
> this is a request regarding a user verification improvement on bootup
> for LUKS on OpenSUSE 11.2.
>
> 1. Though LUKS works great within OpenSUSE, we consider the sudden break
> in the booting screen as an annoyance.
> A small popup asking for the pass right after selecting the boot within
> GRUB would do a much better job rather than jumping back to the bash.
In Ubuntu, the prompt appears in color and font of the splash, which
mildens the appearance style break. Probably that's easier than trying
to put real GUI stuff into initrd.
> 3. Also I am wondering, why LUKS does not support the use of a
> fingerprint reader. If one is attached, it should be possible to provide
> the fingerprint right after the password-prompt-popup (which is not
> included yet)
LUKS is basically just the framework for keeping metadata about the
encryption method used, and key slots. Where the keys come from is not
really part of LUKS. I (on Ubuntu 9.04) have existing "cryptopensc"
initrd script which seems to handle placement of keys on a smart card
(see also
http://www.mail-archive.com/debian-bugs-closed@lists.debian.org/msg121577.html)
- a similar script could probably do fingerprint reader stuff, provided
that the fingerprint reader has some kind of storage for the key which
it would only reveal after match. Simply authenticating with a
fingerprint reader in a yes/no scheme isn't sufficient, because that
would require storage of the key in the initrd, which renders the whole
encryption stuff useless unless you have the initrd with you (eg. USB
stick).
> 2. Furthermore it would be great if an option to cryptsetup would be
> added to use a keyfile as an option on the command line, at the moment
> you can either have password OR keyfile. A simple "if keyfile not found,
> default to password" would be nice.
That would be easy to do, any initrd script can take kernel cmdline
parameters into account. But this is not really a LUKS task, but rather
one of the distributors (some read here).
Yours, Uwe
next prev parent reply other threads:[~2009-11-17 16:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-17 9:22 [dm-crypt] LUKS user verification on OpenSUSE 11.2 Peter Maffay
2009-11-17 12:32 ` Ludwig Nussel
2009-11-17 16:38 ` Uwe Menges [this message]
2009-11-17 18:10 ` Heinz Diehl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B02D191.3040808@web.de \
--to=uwe.menges@web.de \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.