Re: [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot

From: "Fabio Martins" <fm.crypt1@phosphorusnetworks.com>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot
Date: Fri, 25 Dec 2020 10:47:13 -0300	[thread overview]
Message-ID: <c0143b455a50199da97eb79671f92de5.squirrel@127.0.0.1> (raw)
In-Reply-To: <20201223192914.2fcy52yav5kdfbcs@tansi.org>

Thanks for the answers.

My setup wanted is both for personal computer and commercial server use.
Password + Open/Low cost HSM - to be built locally (Brazil).

The solution that is more close to my goal is the Purism. I understand it
is a company product, without specs to build the HSM yourself.

diskAshur PRO2 is also very interesting.

Thanks for the inputs, I will try to put them together to build a local one.

Regards,

-fm

> By now I beleive if you really want an entcypted boot process,
> the best option is to get an encrypted USB stick (with keyboard)
> and put the initrd on that. Remove after booting and preferrably
> before the net is up. I have done initrd on usb stick
> with hardcoded LUKS passphrase, so that should work nicely.
>
> A diskAshur Pro or something like it should do the trick, but
> make sure you get something some atrual security experts
> have looked at.
>
> My scenario for that was a server in a data-center to be rebooted
> by a helper that has no access, but if needed gets the code to
> a safe over the phone and there is the data-center chip card,
> key and the USB stick in there. Plug in, boot server, remove
> stick, put back in safe and lock save. I think the person that
> would actually have done it would have been our company cleaner
> (smart person, displaced unfortunately and cannot get a better
> job, but has very high personal integrity).
>
> BTW, that is where the serpective section in the FAQ comes from.
>
> Regards,
> Arno
>
>
>
> On Wed, Dec 23, 2020 at 15:08:51 CET, JT Morée wrote:
>> Purism (among others) has done some work around using tokens with luks
>> etc.  I have a few pages also.  I use a librem key and LUKS encrypted
>> root
>> partition.  Using Tokens in the linux boot process is still very
>> immature
>> but possible.
>>
>> boot is unencrypted because it is nontrivial to get the boot process to
>> be
>> completely encrypted.  One my purism system pureboot handles verifying
>> the
>> files in /boot.  In theory, a secure boot setup on other systems can do
>> the same.
>>
>> https://docs.puri.sm/PureBoot.html
>> https://sites.google.com/site/jtmoree/knowledge-base/cryptsetup-luks-and-smart-cards?authuser=0
>>
>>
>> JT
>>
>>
>>
>>
>> On Tuesday, December 22, 2020, 5:10:40 AM MST, Fabio Martins
>> <fm.crypt1@phosphorusnetworks.com> wrote:
>>
>> Hi,
>>
>> Would like to know if is it possible to use FDE + low cost HSM (Yubico
>> like) on boot with LUKS.
>>
>> My idea being you need a passphrase (something you know) + something you
>> have (HSM) to achieve real security.
>>
>> If not, is there a direction where such addition can be worked out?
>>
>> Thanks.
>>
>> --
>>
>> fm
>>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> https://www.saout.de/mailman/listinfo/dm-crypt
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> https://www.saout.de/mailman/listinfo/dm-crypt
>
> --
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D
> 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
>
> If it's in the news, don't worry about it.  The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
>

_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt