From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1VFPmm-0005nL-KQ for mharc-grub-devel@gnu.org; Fri, 30 Aug 2013 10:34:52 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49604) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VFPme-0005aS-EI for grub-devel@gnu.org; Fri, 30 Aug 2013 10:34:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VFPmZ-00048u-KS for grub-devel@gnu.org; Fri, 30 Aug 2013 10:34:44 -0400 Received: from mail.csclub.uwaterloo.ca ([129.97.134.52]:44232) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VFPmZ-00048p-ET for grub-devel@gnu.org; Fri, 30 Aug 2013 10:34:39 -0400 Received: from caffeine.csclub.uwaterloo.ca (caffeine.csclub.uwaterloo.ca [129.97.134.17]) by mail.csclub.uwaterloo.ca (Postfix) with SMTP id 289282B9D6 for ; Fri, 30 Aug 2013 10:38:36 -0400 (EDT) Received: by caffeine.csclub.uwaterloo.ca (sSMTP sendmail emulation); Fri, 30 Aug 2013 10:38:36 -0400 From: "Lennart Sorensen" Date: Fri, 30 Aug 2013 10:38:36 -0400 To: The development of GNU GRUB Subject: Re: LUKS Encryption and Fingerprint readers? Message-ID: <20130830143836.GS12616@csclub.uwaterloo.ca> References: <520D06F7.5030900@iam.tj> <20130829141327.25173ac9@crass-Ideapad-Z570> <20130829202042.F058E193308@jmr5021.mindef.local> <20130830091044.38CAE17CCB5@mx3-out.mindef.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20130830091044.38CAE17CCB5@mx3-out.mindef.nl> User-Agent: Mutt/1.5.20 (2009-06-14) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 129.97.134.52 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Aug 2013 14:34:51 -0000 On Fri, Aug 30, 2013 at 11:10:39AM +0200, J.Witvliet@mindef.nl wrote: > -----Original Message----- > From: grub-devel-bounces+j.witvliet=3Dmindef.nl@gnu.org [mailto:grub-de= vel-bounces+j.witvliet=3Dmindef.nl@gnu.org] On Behalf Of TJ > Sent: Thursday, August 29, 2013 10:20 PM > To: grub-devel@gnu.org > Subject: Re: LUKS Encryption and Fingerprint readers? >=20 > On 29/08/13 20:13, Glenn Washburn wrote: > > On Thu, 15 Aug 2013 17:51:03 +0100 > > TJ wrote: > >=20 > >> So I'd like to know what support for key-files and/or fingerprint > >> reading is/could be as input for LUKS unlocking? > >> > >> My other thought, to keep things simple, is to encrypt the entire > >> hard drive and install GRUB and the /boot/ files on the removable US= B > >> key. More clunky but maybe easier to achieve. > >=20 > > Based on this comment I assume you currently have an unencrypted boot > > area on the harddrive and using an initrd. >=20 > I've been using a classical unencrypted boot-loader and kernel/initrd w= ith LUKS key-file protected file-systems on the servers and desktops. >=20 > I've recently decided to standardise on a single model laptop, the Dell= XPS m1530, which includes a fingerprint reader. A primary reason for sel= ecting this model is its 3 mini-PCIe internal slots and > good range of external interfaces, coupled with 8GB RAM, VDPAU-supporti= ng Nvidia 8600M, 1920x1200 LCD, Blue-ray disc, proper MMC card reader, an= d ExpressCard/54. The laptops are easy to strip down and > repair and parts are cheap and easy to come-by. >=20 > The fingerprint reader is quite useful for trivial unlock and sudo auth= orisation and that made me think maybe more use could be made of it. The = points about fingerprints being lifted from the keys to > unlock it hadn't occurred to me - that'd be silly so I'm now moving to = whole-disc encryption with the boot-loader, kernel, and initrd on a key-f= ob USB. >=20 > I'd still like GRUB to be able to read a key-file rather than a typed p= ass-phrase, and have the key-file hidden on a (second) small (1GB) random= ised-data USB flash device (no file-system) so even the > operator can't be sure where to find the bytes that unlock it. >=20 > If we can figure it out we'd like to be able to configure/unlock differ= ent LVM volumes based on which LUKS slot is used to unlock, too, and log = the LUKS attempts from GRUB. >=20 > Tall order I know, but the technology is there - we just have to join i= t up! >=20 > -----Original Message----- >=20 > Hi TJ, >=20 > Are you very sure wanting this? > Some time ago i=C2=B4ve been experimenting with fingerprints, and the r= esult was not encouraging... > From security point of view no that many problems (besides all well kno= wn general issue=C2=B4s with fingerprints). > I mean no false positive=C2=B4s, but the huge amount of false-negatives= : nine times out of ten, I did not recognize correctly. Always glad I co= uld still use username & pwd. > As I was testing on IBM-Lenovo laptops, I think (hope) that those reade= rs were of decent quality... >=20 > So unless the quality of the readers has improved drastically last five= years, you better think twice before embarking on such trip... They have improved. The one on my W530 which is about 9 months old works very well. Even swiping on a slight angle is no longer a problem. I would say it only fails to recognize a swipe 1 in 20 times. Given how well it worked I was wondering if perhaps it was just letting everything through, but using fingers I didn't register has never worked any time I have tried, so it does seem they really have gotten better. --=20 Len Sorensen