From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22393C433DB for ; Fri, 25 Dec 2020 13:48:09 +0000 (UTC) Received: from mail.server123.net (mail.server123.net [78.46.64.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8C361221EF for ; Fri, 25 Dec 2020 13:48:08 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8C361221EF Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=phosphorusnetworks.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dm-crypt-bounces@saout.de X-Virus-Scanned: amavisd-new at saout.de Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=5.104.226.182; helo=phosphorusnetworks.com; envelope-from=fm.crypt1@phosphorusnetworks.com; receiver= Received: from phosphorusnetworks.com (mail.phosphorusnetworks.com [5.104.226.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 25 Dec 2020 14:47:14 +0100 (CET) Received: from localhost ([127.0.0.1]) by phosphorusnetworks.com with esmtp (Exim 4.89) (envelope-from ) id 1ksnR3-0008UC-KK for dm-crypt@saout.de; Fri, 25 Dec 2020 10:47:13 -0300 Received: from 127.0.0.1 (SquirrelMail authenticated user support) by 127.0.0.1 with HTTP; Fri, 25 Dec 2020 10:47:13 -0300 Message-ID: In-Reply-To: <20201223192914.2fcy52yav5kdfbcs@tansi.org> References: <354777815.2908722.1608732531646@mail.yahoo.com> <20201223192914.2fcy52yav5kdfbcs@tansi.org> Date: Fri, 25 Dec 2020 10:47:13 -0300 From: "Fabio Martins" To: dm-crypt@saout.de User-Agent: SquirrelMail/1.4.23 [SVN] MIME-Version: 1.0 X-Priority: 3 (Normal) Importance: Normal Subject: Re: [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot X-BeenThere: dm-crypt@saout.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: fm.crypt1@phosphorusnetworks.com Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Errors-To: dm-crypt-bounces@saout.de Sender: "dm-crypt" Thanks for the answers. My setup wanted is both for personal computer and commercial server use. Password + Open/Low cost HSM - to be built locally (Brazil). The solution that is more close to my goal is the Purism. I understand it is a company product, without specs to build the HSM yourself. diskAshur PRO2 is also very interesting. Thanks for the inputs, I will try to put them together to build a local one. Regards, -fm > By now I beleive if you really want an entcypted boot process, > the best option is to get an encrypted USB stick (with keyboard) > and put the initrd on that. Remove after booting and preferrably > before the net is up. I have done initrd on usb stick > with hardcoded LUKS passphrase, so that should work nicely. > > A diskAshur Pro or something like it should do the trick, but > make sure you get something some atrual security experts > have looked at. > > My scenario for that was a server in a data-center to be rebooted > by a helper that has no access, but if needed gets the code to > a safe over the phone and there is the data-center chip card, > key and the USB stick in there. Plug in, boot server, remove > stick, put back in safe and lock save. I think the person that > would actually have done it would have been our company cleaner > (smart person, displaced unfortunately and cannot get a better > job, but has very high personal integrity). > > BTW, that is where the serpective section in the FAQ comes from. > > Regards, > Arno > > > > On Wed, Dec 23, 2020 at 15:08:51 CET, JT Mor=E9e wrote: >> Purism (among others) has done some work around using tokens with luks >> etc.=A0 I have a few pages also.=A0 I use a librem key and LUKS encrypted >> root >> partition.=A0 Using Tokens in the linux boot process is still very >> immature >> but possible. >> >> boot is unencrypted because it is nontrivial to get the boot process to >> be >> completely encrypted.=A0 One my purism system pureboot handles verifying >> the >> files in /boot.=A0 In theory, a secure boot setup on other systems can do >> the same. >> >> https://docs.puri.sm/PureBoot.html >> https://sites.google.com/site/jtmoree/knowledge-base/cryptsetup-luks-and= -smart-cards?authuser=3D0 >> >> >> JT >> >> >> >> >> On Tuesday, December 22, 2020, 5:10:40 AM MST, Fabio Martins >> wrote: >> >> Hi, >> >> Would like to know if is it possible to use FDE + low cost HSM (Yubico >> like) on boot with LUKS. >> >> My idea being you need a passphrase (something you know) + something you >> have (HSM) to achieve real security. >> >> If not, is there a direction where such addition can be worked out? >> >> Thanks. >> >> -- >> >> fm >> >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@saout.de >> https://www.saout.de/mailman/listinfo/dm-crypt >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@saout.de >> https://www.saout.de/mailman/listinfo/dm-crypt > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D > 9718 > ---- > A good decision is based on knowledge and not on numbers. -- Plato > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt