* [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot @ 2020-12-22 12:01 Fabio Martins 2020-12-22 21:56 ` Arno Wagner 2020-12-23 14:08 ` JT Morée 0 siblings, 2 replies; 5+ messages in thread From: Fabio Martins @ 2020-12-22 12:01 UTC (permalink / raw) To: dm-crypt Hi, Would like to know if is it possible to use FDE + low cost HSM (Yubico like) on boot with LUKS. My idea being you need a passphrase (something you know) + something you have (HSM) to achieve real security. If not, is there a direction where such addition can be worked out? Thanks. -- fm _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot 2020-12-22 12:01 [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot Fabio Martins @ 2020-12-22 21:56 ` Arno Wagner 2020-12-23 14:08 ` JT Morée 1 sibling, 0 replies; 5+ messages in thread From: Arno Wagner @ 2020-12-22 21:56 UTC (permalink / raw) To: dm-crypt Sure. But you likely have to code it yoruself. FAQ Section 9 can give you a point to start: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#9-the-initrd-question BTW, a Youbikey is not a "HSM". It is just a crypto-token. Regards, Arno On Tue, Dec 22, 2020 at 13:01:23 CET, Fabio Martins wrote: > > Hi, > > Would like to know if is it possible to use FDE + low cost HSM (Yubico > like) on boot with LUKS. > > My idea being you need a passphrase (something you know) + something you > have (HSM) to achieve real security. > > If not, is there a direction where such addition can be worked out? > > Thanks. > > -- > > fm > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot 2020-12-22 12:01 [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot Fabio Martins 2020-12-22 21:56 ` Arno Wagner @ 2020-12-23 14:08 ` JT Morée 2020-12-23 19:29 ` Arno Wagner 1 sibling, 1 reply; 5+ messages in thread From: JT Morée @ 2020-12-23 14:08 UTC (permalink / raw) To: dm-crypt@saout.de Purism (among others) has done some work around using tokens with luks etc. I have a few pages also. I use a librem key and LUKS encrypted root partition. Using Tokens in the linux boot process is still very immature but possible. boot is unencrypted because it is nontrivial to get the boot process to be completely encrypted. One my purism system pureboot handles verifying the files in /boot. In theory, a secure boot setup on other systems can do the same. https://docs.puri.sm/PureBoot.html https://sites.google.com/site/jtmoree/knowledge-base/cryptsetup-luks-and-smart-cards?authuser=0 JT On Tuesday, December 22, 2020, 5:10:40 AM MST, Fabio Martins <fm.crypt1@phosphorusnetworks.com> wrote: Hi, Would like to know if is it possible to use FDE + low cost HSM (Yubico like) on boot with LUKS. My idea being you need a passphrase (something you know) + something you have (HSM) to achieve real security. If not, is there a direction where such addition can be worked out? Thanks. -- fm _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot 2020-12-23 14:08 ` JT Morée @ 2020-12-23 19:29 ` Arno Wagner 2020-12-25 13:47 ` Fabio Martins 0 siblings, 1 reply; 5+ messages in thread From: Arno Wagner @ 2020-12-23 19:29 UTC (permalink / raw) To: dm-crypt By now I beleive if you really want an entcypted boot process, the best option is to get an encrypted USB stick (with keyboard) and put the initrd on that. Remove after booting and preferrably before the net is up. I have done initrd on usb stick with hardcoded LUKS passphrase, so that should work nicely. A diskAshur Pro or something like it should do the trick, but make sure you get something some atrual security experts have looked at. My scenario for that was a server in a data-center to be rebooted by a helper that has no access, but if needed gets the code to a safe over the phone and there is the data-center chip card, key and the USB stick in there. Plug in, boot server, remove stick, put back in safe and lock save. I think the person that would actually have done it would have been our company cleaner (smart person, displaced unfortunately and cannot get a better job, but has very high personal integrity). BTW, that is where the serpective section in the FAQ comes from. Regards, Arno On Wed, Dec 23, 2020 at 15:08:51 CET, JT Morée wrote: > Purism (among others) has done some work around using tokens with luks > etc. I have a few pages also. I use a librem key and LUKS encrypted root > partition. Using Tokens in the linux boot process is still very immature > but possible. > > boot is unencrypted because it is nontrivial to get the boot process to be > completely encrypted. One my purism system pureboot handles verifying the > files in /boot. In theory, a secure boot setup on other systems can do > the same. > > https://docs.puri.sm/PureBoot.html > https://sites.google.com/site/jtmoree/knowledge-base/cryptsetup-luks-and-smart-cards?authuser=0 > > > JT > > > > > On Tuesday, December 22, 2020, 5:10:40 AM MST, Fabio Martins <fm.crypt1@phosphorusnetworks.com> wrote: > > Hi, > > Would like to know if is it possible to use FDE + low cost HSM (Yubico > like) on boot with LUKS. > > My idea being you need a passphrase (something you know) + something you > have (HSM) to achieve real security. > > If not, is there a direction where such addition can be worked out? > > Thanks. > > -- > > fm > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot 2020-12-23 19:29 ` Arno Wagner @ 2020-12-25 13:47 ` Fabio Martins 0 siblings, 0 replies; 5+ messages in thread From: Fabio Martins @ 2020-12-25 13:47 UTC (permalink / raw) To: dm-crypt Thanks for the answers. My setup wanted is both for personal computer and commercial server use. Password + Open/Low cost HSM - to be built locally (Brazil). The solution that is more close to my goal is the Purism. I understand it is a company product, without specs to build the HSM yourself. diskAshur PRO2 is also very interesting. Thanks for the inputs, I will try to put them together to build a local one. Regards, -fm > By now I beleive if you really want an entcypted boot process, > the best option is to get an encrypted USB stick (with keyboard) > and put the initrd on that. Remove after booting and preferrably > before the net is up. I have done initrd on usb stick > with hardcoded LUKS passphrase, so that should work nicely. > > A diskAshur Pro or something like it should do the trick, but > make sure you get something some atrual security experts > have looked at. > > My scenario for that was a server in a data-center to be rebooted > by a helper that has no access, but if needed gets the code to > a safe over the phone and there is the data-center chip card, > key and the USB stick in there. Plug in, boot server, remove > stick, put back in safe and lock save. I think the person that > would actually have done it would have been our company cleaner > (smart person, displaced unfortunately and cannot get a better > job, but has very high personal integrity). > > BTW, that is where the serpective section in the FAQ comes from. > > Regards, > Arno > > > > On Wed, Dec 23, 2020 at 15:08:51 CET, JT Morée wrote: >> Purism (among others) has done some work around using tokens with luks >> etc. I have a few pages also. I use a librem key and LUKS encrypted >> root >> partition. Using Tokens in the linux boot process is still very >> immature >> but possible. >> >> boot is unencrypted because it is nontrivial to get the boot process to >> be >> completely encrypted. One my purism system pureboot handles verifying >> the >> files in /boot. In theory, a secure boot setup on other systems can do >> the same. >> >> https://docs.puri.sm/PureBoot.html >> https://sites.google.com/site/jtmoree/knowledge-base/cryptsetup-luks-and-smart-cards?authuser=0 >> >> >> JT >> >> >> >> >> On Tuesday, December 22, 2020, 5:10:40 AM MST, Fabio Martins >> <fm.crypt1@phosphorusnetworks.com> wrote: >> >> Hi, >> >> Would like to know if is it possible to use FDE + low cost HSM (Yubico >> like) on boot with LUKS. >> >> My idea being you need a passphrase (something you know) + something you >> have (HSM) to achieve real security. >> >> If not, is there a direction where such addition can be worked out? >> >> Thanks. >> >> -- >> >> fm >> >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@saout.de >> https://www.saout.de/mailman/listinfo/dm-crypt >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@saout.de >> https://www.saout.de/mailman/listinfo/dm-crypt > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D > 9718 > ---- > A good decision is based on knowledge and not on numbers. -- Plato > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-12-25 13:48 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-12-22 12:01 [dm-crypt] FDE with passphrase + low cost HSM in LUKS on boot Fabio Martins 2020-12-22 21:56 ` Arno Wagner 2020-12-23 14:08 ` JT Morée 2020-12-23 19:29 ` Arno Wagner 2020-12-25 13:47 ` Fabio Martins
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox