* [dm-crypt] Two Factor Authentication With LUKS
@ 2014-06-17 13:47 marcos marrero
2014-06-17 18:11 ` Arno Wagner
0 siblings, 1 reply; 4+ messages in thread
From: marcos marrero @ 2014-06-17 13:47 UTC (permalink / raw)
To: dm-crypt
[-- Attachment #1: Type: text/plain, Size: 368 bytes --]
Good Morning,
Is there any way that I LUKS can be edited where it allows a token + password in order to decrypt the data? Everything that I find has to do with a key file and I dont want to use a key file I want to use a token (like an RSA token or google authenticator ) + password. Can you please guide me in the right direction.
Very Respectfully,
JR.
[-- Attachment #2: Type: text/html, Size: 1067 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Two Factor Authentication With LUKS
2014-06-17 13:47 [dm-crypt] Two Factor Authentication With LUKS marcos marrero
@ 2014-06-17 18:11 ` Arno Wagner
2014-06-18 15:37 ` Yves-Alexis Perez
0 siblings, 1 reply; 4+ messages in thread
From: Arno Wagner @ 2014-06-17 18:11 UTC (permalink / raw)
To: dm-crypt
No. cryptsetup does not know or understadnm tokens. You can
read the passprase from stdin (see man-page) and thereby construct
a wrapper involwing another software you have to supply that can
deal with a token.
But you should know than an RSA token does not provide any secret
when used to authenticate. It proves that it knows a secret, but
that secret is not transferred. Hence an RSA token is not suitable
for use with disk encryption.
Arno
On Tue, Jun 17, 2014 at 15:47:52 CEST, marcos marrero wrote:
> Good Morning,
>
> Is there any way that I LUKS can be edited where it allows a token +
> password in order to decrypt the data? Everything that I find has to do
> with a key file and I dont want to use a key file I want to use a token
> (like an RSA token or google authenticator ) + password. Can you please
> guide me in the right direction.
>
> Very Respectfully,
>
>
> JR.
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. - Plato
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Two Factor Authentication With LUKS
2014-06-17 18:11 ` Arno Wagner
@ 2014-06-18 15:37 ` Yves-Alexis Perez
2014-06-18 19:41 ` Arno Wagner
0 siblings, 1 reply; 4+ messages in thread
From: Yves-Alexis Perez @ 2014-06-18 15:37 UTC (permalink / raw)
To: Arno Wagner, marcos marrero; +Cc: dm-crypt
[-- Attachment #1: Type: text/plain, Size: 712 bytes --]
On mar., 2014-06-17 at 20:11 +0200, Arno Wagner wrote:
> But you should know than an RSA token does not provide any secret
> when used to authenticate. It proves that it knows a secret, but
> that secret is not transferred. Hence an RSA token is not suitable
> for use with disk encryption.
Well, if the hardware device is able to decrypt something (like a pkcs11
token or an OpenPGP smartcard, for example), it's at least possible to
store an encrypted keyfile somewhere accessible at boot, then ask the
token for decryption and feed that to cryptsetup.
I'm not sure if google authenticator and the RSA token you're talking
about fits in that description though.
Regards,
--
Yves-Alexis
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Two Factor Authentication With LUKS
2014-06-18 15:37 ` Yves-Alexis Perez
@ 2014-06-18 19:41 ` Arno Wagner
0 siblings, 0 replies; 4+ messages in thread
From: Arno Wagner @ 2014-06-18 19:41 UTC (permalink / raw)
To: dm-crypt
On Wed, Jun 18, 2014 at 17:37:14 CEST, Yves-Alexis Perez wrote:
> On mar., 2014-06-17 at 20:11 +0200, Arno Wagner wrote:
> > But you should know than an RSA token does not provide any secret
> > when used to authenticate. It proves that it knows a secret, but
> > that secret is not transferred. Hence an RSA token is not suitable
> > for use with disk encryption.
>
> Well, if the hardware device is able to decrypt something (like a pkcs11
> token or an OpenPGP smartcard, for example), it's at least possible to
> store an encrypted keyfile somewhere accessible at boot, then ask the
> token for decryption and feed that to cryptsetup.
True, but then the disk-encryption is done via that Smartcard or
pkcs11 token. The RSA token would just communicate with them
and not with the disk-encryption and it becomes a different
problem.
> I'm not sure if google authenticator and the RSA token you're talking
> about fits in that description though.
I am not sure either.
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. - Plato
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-06-18 19:41 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-17 13:47 [dm-crypt] Two Factor Authentication With LUKS marcos marrero
2014-06-17 18:11 ` Arno Wagner
2014-06-18 15:37 ` Yves-Alexis Perez
2014-06-18 19:41 ` Arno Wagner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.