From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.158]) by mail.saout.de (Postfix) with ESMTP for ; Tue, 17 Nov 2009 10:23:09 +0100 (CET) Received: by fg-out-1718.google.com with SMTP id d23so1617477fga.1 for ; Tue, 17 Nov 2009 01:23:09 -0800 (PST) MIME-Version: 1.0 From: Peter Maffay Date: Tue, 17 Nov 2009 10:22:49 +0100 Message-ID: <7c190390911170122w67dec8d9r63ef9cdc996e0619@mail.gmail.com> Content-Type: multipart/alternative; boundary=0016e6db2d7ba6cd1304788dac88 Subject: [dm-crypt] LUKS user verification on OpenSUSE 11.2 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de --0016e6db2d7ba6cd1304788dac88 Content-Type: text/plain; charset=ISO-8859-1 Good evening, Ladies and Gentlemen, this is a request regarding a user verification improvement on bootup for LUKS on OpenSUSE 11.2. 1. Though LUKS works great within OpenSUSE, we consider the sudden break in the booting screen as an annoyance. A small popup asking for the pass right after selecting the boot within GRUB would do a much better job rather than jumping back to the bash. 3. Also I am wondering, why LUKS does not support the use of a fingerprint reader. If one is attached, it should be possible to provide the fingerprint right after the password-prompt-popup (which is not included yet) 2. Furthermore it would be great if an option to cryptsetup would be added to use a keyfile as an option on the command line, at the moment you can either have password OR keyfile. A simple "if keyfile not found, default to password" would be nice. Would it be possible for you to release an update on this to be integrated in a future release? A discussion on the mentioned improvements has already been opened HERE. Please feel free to contribute you opinions. Thank you for developing LUKS to make our world a little more secure. ;) We would love to hear from you soon. -Mr. Maffay and the OpenSUSE members --0016e6db2d7ba6cd1304788dac88 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Good evening, Ladies and Gentlemen,

this is a request regarding = a user verification improvement on bootup for LUKS on OpenSUSE 11.2.
1. Though LUKS works great within OpenSUSE, we consider the sudden break i= n the booting screen as an annoyance.
A small popup asking for the pass right after selecting the boot within GRU= B would do a much better job rather than jumping back to the bash.
3. Al= so I am wondering, why LUKS does not support the use of a fingerprint reade= r. If one is attached, it should be possible to provide the fingerprint rig= ht after the password-prompt-popup (which is not included yet)
2. Furthermore it would be great if an option to cryptsetup would be added = to use a keyfile as an option on the command line, at the moment you can either have password OR keyfile. A simple "if keyfile not found, default to password" = would be nice.

Would it be possible for you to release an update on = this to be integrated in a future release?
A discussion on the mentioned= improvements has already been opened HERE. Please = feel free to contribute you opinions.

Thank you for developing LUKS to make our world a little more secure. ;= ) We would love to hear from you soon.

-Mr. Maffay and the OpenSUSE = members
--0016e6db2d7ba6cd1304788dac88-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx2.suse.de (cantor2.suse.de [195.135.220.15]) by mail.saout.de (Postfix) with ESMTP for ; Tue, 17 Nov 2009 13:32:12 +0100 (CET) Received: from relay2.suse.de (relay-ext.suse.de [195.135.221.8]) by mx2.suse.de (Postfix) with ESMTP id 2C3318672B for ; Tue, 17 Nov 2009 13:32:12 +0100 (CET) Date: Tue, 17 Nov 2009 13:32:09 +0100 From: Ludwig Nussel Message-ID: <20091117133209.0ac0fb43@tanana.suse.de> In-Reply-To: <7c190390911170122w67dec8d9r63ef9cdc996e0619@mail.gmail.com> References: <7c190390911170122w67dec8d9r63ef9cdc996e0619@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] LUKS user verification on OpenSUSE 11.2 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Peter Maffay wrote: > 1. Though LUKS works great within OpenSUSE, we consider the sudden break in > the booting screen as an annoyance. > A small popup asking for the pass right after selecting the boot within GRUB > would do a much better job rather than jumping back to the bash. The currently used method to display a startup screen only supports on and off. In order to display prompts a different slash screen technology would be needed first => features.opensuse.org > 2. Furthermore it would be great if an option to cryptsetup would be added > to use a keyfile as an option on the command line, at the moment you can > either have password OR keyfile. A simple "if keyfile not found, default to > password" would be nice. That's something for boot.crypto to handle. crypttab since 11.2 supports keyscripts so you can implement any method you like in a custom keyscript. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from h604816.serverkompetenz.net (h604816.serverkompetenz.net [81.169.142.96]) by mail.saout.de (Postfix) with ESMTP for ; Tue, 17 Nov 2009 17:38:42 +0100 (CET) Message-ID: <4B02D191.3040808@web.de> Date: Tue, 17 Nov 2009 17:38:41 +0100 From: Uwe Menges MIME-Version: 1.0 References: <7c190390911170122w67dec8d9r63ef9cdc996e0619@mail.gmail.com> In-Reply-To: <7c190390911170122w67dec8d9r63ef9cdc996e0619@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] LUKS user verification on OpenSUSE 11.2 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Peter Maffay wrote: > this is a request regarding a user verification improvement on bootup > for LUKS on OpenSUSE 11.2. > > 1. Though LUKS works great within OpenSUSE, we consider the sudden break > in the booting screen as an annoyance. > A small popup asking for the pass right after selecting the boot within > GRUB would do a much better job rather than jumping back to the bash. In Ubuntu, the prompt appears in color and font of the splash, which mildens the appearance style break. Probably that's easier than trying to put real GUI stuff into initrd. > 3. Also I am wondering, why LUKS does not support the use of a > fingerprint reader. If one is attached, it should be possible to provide > the fingerprint right after the password-prompt-popup (which is not > included yet) LUKS is basically just the framework for keeping metadata about the encryption method used, and key slots. Where the keys come from is not really part of LUKS. I (on Ubuntu 9.04) have existing "cryptopensc" initrd script which seems to handle placement of keys on a smart card (see also http://www.mail-archive.com/debian-bugs-closed@lists.debian.org/msg121577.html) - a similar script could probably do fingerprint reader stuff, provided that the fingerprint reader has some kind of storage for the key which it would only reveal after match. Simply authenticating with a fingerprint reader in a yes/no scheme isn't sufficient, because that would require storage of the key in the initrd, which renders the whole encryption stuff useless unless you have the initrd with you (eg. USB stick). > 2. Furthermore it would be great if an option to cryptsetup would be > added to use a keyfile as an option on the command line, at the moment > you can either have password OR keyfile. A simple "if keyfile not found, > default to password" would be nice. That would be easy to do, any initrd script can take kernel cmdline parameters into account. But this is not really a LUKS task, but rather one of the distributors (some read here). Yours, Uwe From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by mail.saout.de (Postfix) with ESMTP for ; Tue, 17 Nov 2009 19:10:37 +0100 (CET) Date: Tue, 17 Nov 2009 19:10:36 +0100 From: Heinz Diehl Message-ID: <20091117181036.GB5812@fancy-poultry.org> References: <7c190390911170122w67dec8d9r63ef9cdc996e0619@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7c190390911170122w67dec8d9r63ef9cdc996e0619@mail.gmail.com> Subject: Re: [dm-crypt] LUKS user verification on OpenSUSE 11.2 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On 17.11.2009, Peter Maffay wrote: > this is a request regarding a user verification improvement on bootup for > LUKS on OpenSUSE 11.2. You have to talk to the opensuse maintainers, then. And it would be nice to have a real username.