From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=RQEl=F2=saout.de=dm-crypt-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=3.0 tests=BAYES_50,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9FE4CC433DB
	for <dm-crypt@archiver.kernel.org>; Tue, 22 Dec 2020 12:08:57 +0000 (UTC)
Received: from mail.server123.net (mail.server123.net [78.46.64.186])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 1970522582
	for <dm-crypt@archiver.kernel.org>; Tue, 22 Dec 2020 12:08:56 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1970522582
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=phosphorusnetworks.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dm-crypt-bounces@saout.de
X-Virus-Scanned: amavisd-new at saout.de
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=5.104.226.182;
 helo=phosphorusnetworks.com; envelope-from=fm.crypt1@phosphorusnetworks.com;
 receiver=<UNKNOWN> 
X-Greylist: delayed 403 seconds by postgrey-1.37 at siona;
 Tue, 22 Dec 2020 13:08:08 CET
Received: from phosphorusnetworks.com (mail.phosphorusnetworks.com
 [5.104.226.182])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Tue, 22 Dec 2020 13:08:08 +0100 (CET)
Received: from localhost ([127.0.0.1])
 by phosphorusnetworks.com with esmtp (Exim 4.89)
 (envelope-from <fm.crypt1@phosphorusnetworks.com>)
 id 1krgLz-0004vW-R2
 for dm-crypt@saout.de; Tue, 22 Dec 2020 09:01:24 -0300
Received: from 127.0.0.1 (SquirrelMail authenticated user support)
 by 127.0.0.1 with HTTP; Tue, 22 Dec 2020 09:01:23 -0300
Message-ID: <a609d1e89642cb0089f2a1d71ec860a2.squirrel@127.0.0.1>
Date: Tue, 22 Dec 2020 09:01:23 -0300
From: "Fabio Martins" <fm.crypt1@phosphorusnetworks.com>
To: dm-crypt@saout.de
User-Agent: SquirrelMail/1.4.23 [SVN]
MIME-Version: 1.0
X-Priority: 3 (Normal)
Importance: Normal
Subject: [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot
X-BeenThere: dm-crypt@saout.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <https://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <https://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <https://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
Reply-To: fm.crypt1@phosphorusnetworks.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: dm-crypt-bounces@saout.de
Sender: "dm-crypt" <dm-crypt-bounces@saout.de>


Hi,

Would like to know if is it possible to use FDE + low cost HSM (Yubico
like) on boot with LUKS.

My idea being you need a passphrase (something you know) + something you
have (HSM) to achieve real security.

If not, is there a direction where such addition can be worked out?

Thanks.

--

fm

_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt