grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: LUKS Encryption and Fingerprint readers?


From: J.Witvliet
Subject: RE: LUKS Encryption and Fingerprint readers?
Date: Fri, 30 Aug 2013 11:10:39 +0200

-----Original Message-----
From: address@hidden [mailto:address@hidden On Behalf Of TJ
Sent: Thursday, August 29, 2013 10:20 PM
To: address@hidden
Subject: Re: LUKS Encryption and Fingerprint readers?

On 29/08/13 20:13, Glenn Washburn wrote:
> On Thu, 15 Aug 2013 17:51:03 +0100
> TJ <address@hidden> wrote:
> 
>> So I'd like to know what support for key-files and/or fingerprint
>> reading is/could be as input for LUKS unlocking?
>>
>> My other thought, to keep things simple, is to encrypt the entire
>> hard drive and install GRUB and the /boot/ files on the removable USB
>> key. More clunky but maybe easier to achieve.
> 
> Based on this comment I assume you currently have an unencrypted boot
> area on the harddrive and using an initrd.

I've been using a classical unencrypted boot-loader and kernel/initrd with LUKS 
key-file protected file-systems on the servers and desktops.

I've recently decided to standardise on a single model laptop, the Dell XPS 
m1530, which includes a fingerprint reader. A primary reason for selecting this 
model is its 3 mini-PCIe internal slots and
good range of external interfaces, coupled with 8GB RAM, VDPAU-supporting 
Nvidia 8600M, 1920x1200 LCD, Blue-ray disc, proper MMC card reader, and 
ExpressCard/54. The laptops are easy to strip down and
repair and parts are cheap and easy to come-by.

The fingerprint reader is quite useful for trivial unlock and sudo 
authorisation and that made me think maybe more use could be made of it. The 
points about fingerprints being lifted from the keys to
unlock it hadn't occurred to me - that'd be silly so I'm now moving to 
whole-disc encryption with the boot-loader, kernel, and initrd on a key-fob USB.

I'd still like GRUB to be able to read a key-file rather than a typed 
pass-phrase, and have the key-file hidden on a (second) small (1GB) 
randomised-data USB flash device (no file-system) so even the
operator can't be sure where to find the bytes that unlock it.

If we can figure it out we'd like to be able to configure/unlock different LVM 
volumes based on which LUKS slot is used to unlock, too, and log the LUKS 
attempts from GRUB.

Tall order I know, but the technology is there - we just have to join it up!

-----Original Message-----

Hi TJ,

Are you very sure wanting this?
Some time ago i´ve been experimenting with fingerprints, and the result was not 
encouraging...
>From security point of view no that many problems (besides all well known 
>general issue´s with fingerprints).
I mean no false positive´s, but the huge amount of false-negatives:  nine times 
out of ten, I did not recognize correctly. Always glad I could still use  
username & pwd.
As I was testing on IBM-Lenovo laptops, I think (hope) that those readers were 
of decent quality...

So unless the quality of the readers has improved drastically last five years, 
you better think twice before embarking on such trip...

Hw




______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet 
de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u 
verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat 
aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband 
houdt met risico's verbonden aan het electronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are 
not the addressee or if this message was sent to you by mistake, you are 
requested to inform the sender and delete the message. The State accepts no 
liability for damage of any kind resulting from the risks inherent in the 
electronic transmission of messages.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]