From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE1C8C433E0 for ; Wed, 23 Dec 2020 19:30:13 +0000 (UTC) Received: from mail.server123.net (mail.server123.net [78.46.64.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 45618223E0 for ; Wed, 23 Dec 2020 19:30:12 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 45618223E0 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=wagner.name Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dm-crypt-bounces@saout.de X-Virus-Scanned: amavisd-new at saout.de Received-SPF: None (mailfrom) identity=mailfrom; client-ip=84.19.178.47; helo=v1.tansi.org; envelope-from=arno@wagner.name; receiver= Received: from v1.tansi.org (mail.tansi.org [84.19.178.47]) by mail.server123.net (Postfix) with ESMTP for ; Wed, 23 Dec 2020 20:29:15 +0100 (CET) Received: from gatewagner.dyndns.org (81-6-44-245.init7.net [81.6.44.245]) by v1.tansi.org (Postfix) with ESMTPA id 6F59B14014C for ; Wed, 23 Dec 2020 20:29:15 +0100 (CET) Received: by gatewagner.dyndns.org (Postfix, from userid 1000) id 27F1B17A26F; Wed, 23 Dec 2020 20:29:14 +0100 (CET) Date: Wed, 23 Dec 2020 20:29:14 +0100 From: Arno Wagner To: dm-crypt@saout.de Message-ID: <20201223192914.2fcy52yav5kdfbcs@tansi.org> Mail-Followup-To: dm-crypt@saout.de References: <354777815.2908722.1608732531646@mail.yahoo.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <354777815.2908722.1608732531646@mail.yahoo.com> User-Agent: NeoMutt/20170113 (1.7.2) Subject: Re: [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot X-BeenThere: dm-crypt@saout.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Errors-To: dm-crypt-bounces@saout.de Sender: "dm-crypt" By now I beleive if you really want an entcypted boot process, the best option is to get an encrypted USB stick (with keyboard) and put the initrd on that. Remove after booting and preferrably before the net is up. I have done initrd on usb stick with hardcoded LUKS passphrase, so that should work nicely. A diskAshur Pro or something like it should do the trick, but make sure you get something some atrual security experts have looked at. My scenario for that was a server in a data-center to be rebooted by a helper that has no access, but if needed gets the code to a safe over the phone and there is the data-center chip card, = key and the USB stick in there. Plug in, boot server, remove stick, put back in safe and lock save. I think the person that would actually have done it would have been our company cleaner (smart person, displaced unfortunately and cannot get a better = job, but has very high personal integrity). BTW, that is where the serpective section in the FAQ comes from. Regards, Arno On Wed, Dec 23, 2020 at 15:08:51 CET, JT Mor=E9e wrote: > Purism (among others) has done some work around using tokens with luks > etc.=A0 I have a few pages also.=A0 I use a librem key and LUKS encrypted= root > partition.=A0 Using Tokens in the linux boot process is still very immatu= re > but possible. > = > boot is unencrypted because it is nontrivial to get the boot process to be > completely encrypted.=A0 One my purism system pureboot handles verifying = the > files in /boot.=A0 In theory, a secure boot setup on other systems can do > the same. > = > https://docs.puri.sm/PureBoot.html > https://sites.google.com/site/jtmoree/knowledge-base/cryptsetup-luks-and-= smart-cards?authuser=3D0 > = > = > JT > = > = > = > = > On Tuesday, December 22, 2020, 5:10:40 AM MST, Fabio Martins wrote: = > = > Hi, > = > Would like to know if is it possible to use FDE + low cost HSM (Yubico > like) on boot with LUKS. > = > My idea being you need a passphrase (something you know) + something you > have (HSM) to achieve real security. > = > If not, is there a direction where such addition can be worked out? > = > Thanks. > = > -- > = > fm > = > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt -- = Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of = "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt