From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1VFhBp-0000wh-Ql for mharc-grub-devel@gnu.org; Sat, 31 Aug 2013 05:09:53 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54562) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VFhBg-0000wC-R1 for grub-devel@gnu.org; Sat, 31 Aug 2013 05:09:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VFhBZ-0003ta-Ha for grub-devel@gnu.org; Sat, 31 Aug 2013 05:09:44 -0400 Received: from yes.iam.tj ([109.74.197.121]:34267 helo=iam.tj) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VFhBZ-0003so-BX for grub-devel@gnu.org; Sat, 31 Aug 2013 05:09:37 -0400 Received: from [10.254.251.50] (jeeves.iam.tj [82.71.24.87]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by iam.tj (Postfix) with ESMTPSA id ECE9C3407B for ; Sat, 31 Aug 2013 10:09:02 +0100 (BST) Message-ID: <5221B2AE.3000304@iam.tj> Date: Sat, 31 Aug 2013 10:09:02 +0100 From: TJ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 MIME-Version: 1.0 To: grub-devel@gnu.org Subject: Re: LUKS Encryption and Fingerprint readers? References: <520D06F7.5030900@iam.tj> <20130829141327.25173ac9@crass-Ideapad-Z570> <521FACFE.1050906@iam.tj> <20130830142200.3cbeb0b0@crass-Ideapad-Z570> In-Reply-To: <20130830142200.3cbeb0b0@crass-Ideapad-Z570> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 109.74.197.121 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Aug 2013 09:09:52 -0000 On 30/08/13 20:22, Glenn Washburn wrote: >> I'd still like GRUB to be able to read a key-file rather than a typed >> pass-phrase, and have the key-file hidden on a (second) small (1GB) >> randomised-data USB flash device (no file-system) so even the >> operator can't be sure where to find the bytes that unlock it. > > Again. If your initrd and kernel are unencrypted on the USB, then you > don't need keyfile support or any encryption support in grub. The USB device(s) will be encrypted. >> If we can figure it out we'd like to be able to configure/unlock >> different LVM volumes based on which LUKS slot is used to unlock, >> too, and log the LUKS attempts from GRUB. > > This really doesn't make sense. LVM volumes aren't "unlocked", LUKS > volumes sure. There will be multiple layers of encryption using different keys. The LVMs within the whole-disk encryption will have different keys. Not all users will have access to the same collection of keys. It doesn't look too difficult to add patches to achieve what I'm aiming for.