[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LUKS Encryption and Fingerprint readers?
From: |
Lennart Sorensen |
Subject: |
Re: LUKS Encryption and Fingerprint readers? |
Date: |
Fri, 30 Aug 2013 10:38:36 -0400 |
User-agent: |
Mutt/1.5.20 (2009-06-14) |
On Fri, Aug 30, 2013 at 11:10:39AM +0200, address@hidden wrote:
> -----Original Message-----
> From: address@hidden [mailto:address@hidden On Behalf Of TJ
> Sent: Thursday, August 29, 2013 10:20 PM
> To: address@hidden
> Subject: Re: LUKS Encryption and Fingerprint readers?
>
> On 29/08/13 20:13, Glenn Washburn wrote:
> > On Thu, 15 Aug 2013 17:51:03 +0100
> > TJ <address@hidden> wrote:
> >
> >> So I'd like to know what support for key-files and/or fingerprint
> >> reading is/could be as input for LUKS unlocking?
> >>
> >> My other thought, to keep things simple, is to encrypt the entire
> >> hard drive and install GRUB and the /boot/ files on the removable USB
> >> key. More clunky but maybe easier to achieve.
> >
> > Based on this comment I assume you currently have an unencrypted boot
> > area on the harddrive and using an initrd.
>
> I've been using a classical unencrypted boot-loader and kernel/initrd with
> LUKS key-file protected file-systems on the servers and desktops.
>
> I've recently decided to standardise on a single model laptop, the Dell XPS
> m1530, which includes a fingerprint reader. A primary reason for selecting
> this model is its 3 mini-PCIe internal slots and
> good range of external interfaces, coupled with 8GB RAM, VDPAU-supporting
> Nvidia 8600M, 1920x1200 LCD, Blue-ray disc, proper MMC card reader, and
> ExpressCard/54. The laptops are easy to strip down and
> repair and parts are cheap and easy to come-by.
>
> The fingerprint reader is quite useful for trivial unlock and sudo
> authorisation and that made me think maybe more use could be made of it. The
> points about fingerprints being lifted from the keys to
> unlock it hadn't occurred to me - that'd be silly so I'm now moving to
> whole-disc encryption with the boot-loader, kernel, and initrd on a key-fob
> USB.
>
> I'd still like GRUB to be able to read a key-file rather than a typed
> pass-phrase, and have the key-file hidden on a (second) small (1GB)
> randomised-data USB flash device (no file-system) so even the
> operator can't be sure where to find the bytes that unlock it.
>
> If we can figure it out we'd like to be able to configure/unlock different
> LVM volumes based on which LUKS slot is used to unlock, too, and log the LUKS
> attempts from GRUB.
>
> Tall order I know, but the technology is there - we just have to join it up!
>
> -----Original Message-----
>
> Hi TJ,
>
> Are you very sure wanting this?
> Some time ago i´ve been experimenting with fingerprints, and the result was
> not encouraging...
> From security point of view no that many problems (besides all well known
> general issue´s with fingerprints).
> I mean no false positive´s, but the huge amount of false-negatives: nine
> times out of ten, I did not recognize correctly. Always glad I could still
> use username & pwd.
> As I was testing on IBM-Lenovo laptops, I think (hope) that those readers
> were of decent quality...
>
> So unless the quality of the readers has improved drastically last five
> years, you better think twice before embarking on such trip...
They have improved. The one on my W530 which is about 9 months old
works very well. Even swiping on a slight angle is no longer a problem.
I would say it only fails to recognize a swipe 1 in 20 times. Given how
well it worked I was wondering if perhaps it was just letting everything
through, but using fingers I didn't register has never worked any time
I have tried, so it does seem they really have gotten better.
--
Len Sorensen