Re: [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot

From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot
Date: Wed, 23 Dec 2020 20:29:14 +0100	[thread overview]
Message-ID: <20201223192914.2fcy52yav5kdfbcs@tansi.org> (raw)
In-Reply-To: <354777815.2908722.1608732531646@mail.yahoo.com>

By now I beleive if you really want an entcypted boot process,
the best option is to get an encrypted USB stick (with keyboard)
and put the initrd on that. Remove after booting and preferrably
before the net is up. I have done initrd on usb stick
with hardcoded LUKS passphrase, so that should work nicely.

A diskAshur Pro or something like it should do the trick, but
make sure you get something some atrual security experts
have looked at.

My scenario for that was a server in a data-center to be rebooted
by a helper that has no access, but if needed gets the code to
a safe over the phone and there is the data-center chip card, 
key and the USB stick in there. Plug in, boot server, remove
stick, put back in safe and lock save. I think the person that
would actually have done it would have been our company cleaner
(smart person, displaced unfortunately and cannot get a better 
job, but has very high personal integrity).

BTW, that is where the serpective section in the FAQ comes from.

Regards,
Arno

On Wed, Dec 23, 2020 at 15:08:51 CET, JT Morée wrote:
> Purism (among others) has done some work around using tokens with luks
> etc.  I have a few pages also.  I use a librem key and LUKS encrypted root
> partition.  Using Tokens in the linux boot process is still very immature
> but possible.
> 
> boot is unencrypted because it is nontrivial to get the boot process to be
> completely encrypted.  One my purism system pureboot handles verifying the
> files in /boot.  In theory, a secure boot setup on other systems can do
> the same.
> 
> https://docs.puri.sm/PureBoot.html
> https://sites.google.com/site/jtmoree/knowledge-base/cryptsetup-luks-and-smart-cards?authuser=0
> 
> 
> JT
> 
> 
> 
> 
> On Tuesday, December 22, 2020, 5:10:40 AM MST, Fabio Martins <fm.crypt1@phosphorusnetworks.com> wrote: 
> 
> Hi,
> 
> Would like to know if is it possible to use FDE + low cost HSM (Yubico
> like) on boot with LUKS.
> 
> My idea being you need a passphrase (something you know) + something you
> have (HSM) to achieve real security.
> 
> If not, is there a direction where such addition can be worked out?
> 
> Thanks.
> 
> --
> 
> fm
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt