From: TJ <grub-devel@iam.tj>
To: grub-devel@gnu.org
Subject: Re: LUKS Encryption and Fingerprint readers?
Date: Thu, 29 Aug 2013 21:20:14 +0100 [thread overview]
Message-ID: <521FACFE.1050906@iam.tj> (raw)
In-Reply-To: <20130829141327.25173ac9@crass-Ideapad-Z570>
On 29/08/13 20:13, Glenn Washburn wrote:
> On Thu, 15 Aug 2013 17:51:03 +0100
> TJ <grub-devel@iam.tj> wrote:
>
>> So I'd like to know what support for key-files and/or fingerprint
>> reading is/could be as input for LUKS unlocking?
>>
>> My other thought, to keep things simple, is to encrypt the entire
>> hard drive and install GRUB and the /boot/ files on the removable USB
>> key. More clunky but maybe easier to achieve.
>
> Based on this comment I assume you currently have an unencrypted boot
> area on the harddrive and using an initrd.
I've been using a classical unencrypted boot-loader and kernel/initrd with LUKS key-file protected file-systems on the servers and desktops.
I've recently decided to standardise on a single model laptop, the Dell XPS m1530, which includes a fingerprint reader. A primary reason for selecting this model is its 3 mini-PCIe internal slots and
good range of external interfaces, coupled with 8GB RAM, VDPAU-supporting Nvidia 8600M, 1920x1200 LCD, Blue-ray disc, proper MMC card reader, and ExpressCard/54. The laptops are easy to strip down and
repair and parts are cheap and easy to come-by.
The fingerprint reader is quite useful for trivial unlock and sudo authorisation and that made me think maybe more use could be made of it. The points about fingerprints being lifted from the keys to
unlock it hadn't occurred to me - that'd be silly so I'm now moving to whole-disc encryption with the boot-loader, kernel, and initrd on a key-fob USB.
I'd still like GRUB to be able to read a key-file rather than a typed pass-phrase, and have the key-file hidden on a (second) small (1GB) randomised-data USB flash device (no file-system) so even the
operator can't be sure where to find the bytes that unlock it.
If we can figure it out we'd like to be able to configure/unlock different LVM volumes based on which LUKS slot is used to unlock, too, and log the LUKS attempts from GRUB.
Tall order I know, but the technology is there - we just have to join it up!
next prev parent reply other threads:[~2013-08-29 20:20 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-15 16:51 LUKS Encryption and Fingerprint readers? TJ
2013-08-15 17:27 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-08-29 19:13 ` Glenn Washburn
2013-08-29 20:20 ` TJ [this message]
2013-08-30 19:22 ` Glenn Washburn
2013-08-31 9:09 ` TJ
[not found] ` <20130829202042.F058E193308@jmr5021.mindef.local>
2013-08-30 9:10 ` J.Witvliet
2013-08-30 14:38 ` Lennart Sorensen
2013-08-30 15:03 ` TJ
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=521FACFE.1050906@iam.tj \
--to=grub-devel@iam.tj \
--cc=grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).