From: "JT Morée" <moreejt@yahoo.com>
To: "dm-crypt@saout.de" <dm-crypt@saout.de>
Subject: Re: [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot
Date: Wed, 23 Dec 2020 14:08:51 +0000 (UTC) [thread overview]
Message-ID: <354777815.2908722.1608732531646@mail.yahoo.com> (raw)
In-Reply-To: <a609d1e89642cb0089f2a1d71ec860a2.squirrel@127.0.0.1>
Purism (among others) has done some work around using tokens with luks etc. I have a few pages also. I use a librem key and LUKS encrypted root partition. Using Tokens in the linux boot process is still very immature but possible.
boot is unencrypted because it is nontrivial to get the boot process to be completely encrypted. One my purism system pureboot handles verifying the files in /boot. In theory, a secure boot setup on other systems can do the same.
https://docs.puri.sm/PureBoot.html
https://sites.google.com/site/jtmoree/knowledge-base/cryptsetup-luks-and-smart-cards?authuser=0
JT
On Tuesday, December 22, 2020, 5:10:40 AM MST, Fabio Martins <fm.crypt1@phosphorusnetworks.com> wrote:
Hi,
Would like to know if is it possible to use FDE + low cost HSM (Yubico
like) on boot with LUKS.
My idea being you need a passphrase (something you know) + something you
have (HSM) to achieve real security.
If not, is there a direction where such addition can be worked out?
Thanks.
--
fm
_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt
_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt
next prev parent reply other threads:[~2020-12-23 14:09 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-22 12:01 [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot Fabio Martins
2020-12-22 21:56 ` Arno Wagner
2020-12-23 14:08 ` JT Morée [this message]
2020-12-23 19:29 ` Arno Wagner
2020-12-25 13:47 ` Fabio Martins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=354777815.2908722.1608732531646@mail.yahoo.com \
--to=moreejt@yahoo.com \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox