grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LUKS Encryption and Fingerprint readers?

From: TJ
Subject: Re: LUKS Encryption and Fingerprint readers?
Date: Thu, 29 Aug 2013 21:20:14 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 
On 29/08/13 20:13, Glenn Washburn wrote:
> On Thu, 15 Aug 2013 17:51:03 +0100
> TJ <address@hidden> wrote:
> 
>> So I'd like to know what support for key-files and/or fingerprint
>> reading is/could be as input for LUKS unlocking?
>>
>> My other thought, to keep things simple, is to encrypt the entire
>> hard drive and install GRUB and the /boot/ files on the removable USB
>> key. More clunky but maybe easier to achieve.
> 
> Based on this comment I assume you currently have an unencrypted boot
> area on the harddrive and using an initrd.

I've been using a classical unencrypted boot-loader and kernel/initrd with LUKS 
key-file protected file-systems on the servers and desktops.

I've recently decided to standardise on a single model laptop, the Dell XPS 
m1530, which includes a fingerprint reader. A primary reason for selecting this 
model is its 3 mini-PCIe internal slots and
good range of external interfaces, coupled with 8GB RAM, VDPAU-supporting 
Nvidia 8600M, 1920x1200 LCD, Blue-ray disc, proper MMC card reader, and 
ExpressCard/54. The laptops are easy to strip down and
repair and parts are cheap and easy to come-by.

The fingerprint reader is quite useful for trivial unlock and sudo 
authorisation and that made me think maybe more use could be made of it. The 
points about fingerprints being lifted from the keys to
unlock it hadn't occurred to me - that'd be silly so I'm now moving to 
whole-disc encryption with the boot-loader, kernel, and initrd on a key-fob USB.

I'd still like GRUB to be able to read a key-file rather than a typed 
pass-phrase, and have the key-file hidden on a (second) small (1GB) 
randomised-data USB flash device (no file-system) so even the
operator can't be sure where to find the bytes that unlock it.

If we can figure it out we'd like to be able to configure/unlock different LVM 
volumes based on which LUKS slot is used to unlock, too, and log the LUKS 
attempts from GRUB.

Tall order I know, but the technology is there - we just have to join it up!
reply via email to
[Prev in Thread] Current Thread [Next in Thread]