[dm-crypt] question on available userspace authentication methods

[dm-crypt] question on available userspace authentication methods

[marcin kowalski]

This is mostly question on cryptsetup, if this is a wrong list, i'd be
thankful for information where is the proper mailing list for it.

Hi list, i've been using dm-crypt through cryptsetup for quite a while
now. So far my impression is that your authentication is limited to
either providing a keyfile, or typing in a password to unlock
encrypted volumes. Maybe there are more ways to authenticate, and i am
just not aware of it.

Are there any other authenticaton methods one could use?

I'm mostly interested in whether somebody is planning to adapt
cryptsetup to authenticate using an USB microcontroller device
(teensy, arduino, atmel) ? Having a physical key device that's not
just a flashdrive with a plain key on it (either as a file or data
hidden in a few sectors (archilinux has such option)) would sound a
bit more reasonable..

Re: [dm-crypt] question on available userspace authentication methods

[Yves-Alexis Perez]

[-- Attachment #1: Type: text/plain, Size: 395 bytes --]

On ven., 2011-09-02 at 09:29 +0200, marcin kowalski wrote:
> Are there any other authenticaton methods one could use?

You just need a keyscript which will output the key on stdout and pipe
it to cryptsetup.

I'm not exactly sure if there are security implications there (like if
the key could be somewhere on memory not protected or something like
that).

Regards,
-- 
Yves-Alexis

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [dm-crypt] question on available userspace authentication methods

[Shardis]

[-- Attachment #1: Type: text/plain, Size: 1501 bytes --]

I've found yubikey fairly interesting re: another factor for authenticaton  
for quite a while now. You can do otps or static keys on the same usb device  
that reads as a keyboard for inputting the desired key.

iirc redhat and debian have support for yubikeys baked in...

Connected by DROID on Verizon Wireless

-----Original message-----
From: marcin kowalski <yoshi314@gmail.com>
To: dm-crypt@saout.de
Sent: Fri, Sep 2, 2011 07:36:54 GMT+00:00
Subject: [dm-crypt] question on available userspace authentication methods

This is mostly question on cryptsetup, if this is a wrong list, i'd be
thankful for information where is the proper mailing list for it.

Hi list, i've been using dm-crypt through cryptsetup for quite a while
now. So far my impression is that your authentication is limited to
either providing a keyfile, or typing in a password to unlock
encrypted volumes. Maybe there are more ways to authenticate, and i am
just not aware of it.

Are there any other authenticaton methods one could use?

I'm mostly interested in whether somebody is planning to adapt
cryptsetup to authenticate using an USB microcontroller device
(teensy, arduino, atmel) ? Having a physical key device that's not
just a flashdrive with a plain key on it (either as a file or data
hidden in a few sectors (archilinux has such option)) would sound a
bit more reasonable..
_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
http://www.saout.de/mailman/listinfo/dm-crypt


[-- Attachment #2: Type: text/html, Size: 2153 bytes --]

Re: [dm-crypt] question on available userspace authentication methods

[Arno Wagner]

On Fri, Sep 02, 2011 at 11:32:03AM +0200, Yves-Alexis Perez wrote:
> On ven., 2011-09-02 at 09:29 +0200, marcin kowalski wrote:
> > Are there any other authenticaton methods one could use?
> 
> You just need a keyscript which will output the key on stdout and pipe
> it to cryptsetup.
> 
> I'm not exactly sure if there are security implications there (like if
> the key could be somewhere on memory not protected or something like
> that).

Not really. If you are root, you can query the key anyways,
see FAQ item "How do I recover the master key from a mapped 
LUKS container?". This is not a surprise or design defect.
As root can access the whole memory (via /proc/kcore) the
key cannot be hidden anyways. 

As to the key staying in memory from the piping, as far as 
I know that does not happen. I could be wrong though. 

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier