[dm-crypt] LUKS user verification on OpenSUSE 11.2

[dm-crypt] LUKS user verification on OpenSUSE 11.2

[Peter Maffay]

[-- Attachment #1: Type: text/plain, Size: 1304 bytes --]

Good evening, Ladies and Gentlemen,

this is a request regarding a user verification improvement on bootup for
LUKS on OpenSUSE 11.2.

1. Though LUKS works great within OpenSUSE, we consider the sudden break in
the booting screen as an annoyance.
A small popup asking for the pass right after selecting the boot within GRUB
would do a much better job rather than jumping back to the bash.
3. Also I am wondering, why LUKS does not support the use of a fingerprint
reader. If one is attached, it should be possible to provide the fingerprint
right after the password-prompt-popup (which is not included yet)
2. Furthermore it would be great if an option to cryptsetup would be added
to use a keyfile as an option on the command line, at the moment you can
either have password OR keyfile. A simple "if keyfile not found, default to
password" would be nice.

Would it be possible for you to release an update on this to be integrated
in a future release?
A discussion on the mentioned improvements has already been opened
HERE<http://forums.opensuse.org/install-boot-login/425810-luks-password-bothers-me.html>.
Please feel free to contribute you opinions.

Thank you for developing LUKS to make our world a little more secure. ;) We
would love to hear from you soon.

-Mr. Maffay and the OpenSUSE members

[-- Attachment #2: Type: text/html, Size: 1392 bytes --]

Re: [dm-crypt] LUKS user verification on OpenSUSE 11.2

[Ludwig Nussel]

Peter Maffay wrote:
> 1. Though LUKS works great within OpenSUSE, we consider the sudden break in
> the booting screen as an annoyance.
> A small popup asking for the pass right after selecting the boot within GRUB
> would do a much better job rather than jumping back to the bash.

The currently used method to display a startup screen only supports
on and off. In order to display prompts a different slash screen
technology would be needed first => features.opensuse.org

> 2. Furthermore it would be great if an option to cryptsetup would be added
> to use a keyfile as an option on the command line, at the moment you can
> either have password OR keyfile. A simple "if keyfile not found, default to
> password" would be nice.

That's something for boot.crypto to handle. crypttab since 11.2
supports keyscripts so you can implement any method you like in a
custom keyscript.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Re: [dm-crypt] LUKS user verification on OpenSUSE 11.2

[Uwe Menges]

Peter Maffay wrote:
> this is a request regarding a user verification improvement on bootup
> for LUKS on OpenSUSE 11.2.
> 
> 1. Though LUKS works great within OpenSUSE, we consider the sudden break
> in the booting screen as an annoyance.
> A small popup asking for the pass right after selecting the boot within
> GRUB would do a much better job rather than jumping back to the bash.

In Ubuntu, the prompt appears in color and font of the splash, which
mildens the appearance style break. Probably that's easier than trying
to put real GUI stuff into initrd.

> 3. Also I am wondering, why LUKS does not support the use of a
> fingerprint reader. If one is attached, it should be possible to provide
> the fingerprint right after the password-prompt-popup (which is not
> included yet)

LUKS is basically just the framework for keeping metadata about the
encryption method used, and key slots. Where the keys come from is not
really part of LUKS. I (on Ubuntu 9.04) have existing "cryptopensc"
initrd script which seems to handle placement of keys on a smart card
(see also
http://www.mail-archive.com/debian-bugs-closed@lists.debian.org/msg121577.html)
- a similar script could probably do fingerprint reader stuff, provided
that the fingerprint reader has some kind of storage for the key which
it would only reveal after match. Simply authenticating with a
fingerprint reader in a yes/no scheme isn't sufficient, because that
would require storage of the key in the initrd, which renders the whole
encryption stuff useless unless you have the initrd with you (eg. USB
stick).

> 2. Furthermore it would be great if an option to cryptsetup would be
> added to use a keyfile as an option on the command line, at the moment
> you can either have password OR keyfile. A simple "if keyfile not found,
> default to password" would be nice.

That would be easy to do, any initrd script can take kernel cmdline
parameters into account. But this is not really a LUKS task, but rather
one of the distributors (some read here).

Yours, Uwe

Re: [dm-crypt] LUKS user verification on OpenSUSE 11.2

[Heinz Diehl]

On 17.11.2009, Peter Maffay wrote: 

> this is a request regarding a user verification improvement on bootup for
> LUKS on OpenSUSE 11.2.

You have to talk to the opensuse maintainers, then.
And it would be nice to have a real username.