grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LUKS Encryption and Fingerprint readers?


From: Lennart Sorensen
Subject: Re: LUKS Encryption and Fingerprint readers?
Date: Fri, 30 Aug 2013 10:38:36 -0400
User-agent: Mutt/1.5.20 (2009-06-14)

On Fri, Aug 30, 2013 at 11:10:39AM +0200, address@hidden wrote:
> -----Original Message-----
> From: address@hidden [mailto:address@hidden On Behalf Of TJ
> Sent: Thursday, August 29, 2013 10:20 PM
> To: address@hidden
> Subject: Re: LUKS Encryption and Fingerprint readers?
> 
> On 29/08/13 20:13, Glenn Washburn wrote:
> > On Thu, 15 Aug 2013 17:51:03 +0100
> > TJ <address@hidden> wrote:
> > 
> >> So I'd like to know what support for key-files and/or fingerprint
> >> reading is/could be as input for LUKS unlocking?
> >>
> >> My other thought, to keep things simple, is to encrypt the entire
> >> hard drive and install GRUB and the /boot/ files on the removable USB
> >> key. More clunky but maybe easier to achieve.
> > 
> > Based on this comment I assume you currently have an unencrypted boot
> > area on the harddrive and using an initrd.
> 
> I've been using a classical unencrypted boot-loader and kernel/initrd with 
> LUKS key-file protected file-systems on the servers and desktops.
> 
> I've recently decided to standardise on a single model laptop, the Dell XPS 
> m1530, which includes a fingerprint reader. A primary reason for selecting 
> this model is its 3 mini-PCIe internal slots and
> good range of external interfaces, coupled with 8GB RAM, VDPAU-supporting 
> Nvidia 8600M, 1920x1200 LCD, Blue-ray disc, proper MMC card reader, and 
> ExpressCard/54. The laptops are easy to strip down and
> repair and parts are cheap and easy to come-by.
> 
> The fingerprint reader is quite useful for trivial unlock and sudo 
> authorisation and that made me think maybe more use could be made of it. The 
> points about fingerprints being lifted from the keys to
> unlock it hadn't occurred to me - that'd be silly so I'm now moving to 
> whole-disc encryption with the boot-loader, kernel, and initrd on a key-fob 
> USB.
> 
> I'd still like GRUB to be able to read a key-file rather than a typed 
> pass-phrase, and have the key-file hidden on a (second) small (1GB) 
> randomised-data USB flash device (no file-system) so even the
> operator can't be sure where to find the bytes that unlock it.
> 
> If we can figure it out we'd like to be able to configure/unlock different 
> LVM volumes based on which LUKS slot is used to unlock, too, and log the LUKS 
> attempts from GRUB.
> 
> Tall order I know, but the technology is there - we just have to join it up!
> 
> -----Original Message-----
> 
> Hi TJ,
> 
> Are you very sure wanting this?
> Some time ago i´ve been experimenting with fingerprints, and the result was 
> not encouraging...
> From security point of view no that many problems (besides all well known 
> general issue´s with fingerprints).
> I mean no false positive´s, but the huge amount of false-negatives:  nine 
> times out of ten, I did not recognize correctly. Always glad I could still 
> use  username & pwd.
> As I was testing on IBM-Lenovo laptops, I think (hope) that those readers 
> were of decent quality...
> 
> So unless the quality of the readers has improved drastically last five 
> years, you better think twice before embarking on such trip...

They have improved.  The one on my W530 which is about 9 months old
works very well.  Even swiping on a slight angle is no longer a problem.
I would say it only fails to recognize a swipe 1 in 20 times.  Given how
well it worked I was wondering if perhaps it was just letting everything
through, but using fingers I didn't register has never worked any time
I have tried, so it does seem they really have gotten better.

-- 
Len Sorensen



reply via email to

[Prev in Thread] Current Thread [Next in Thread]