From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <corsac@debian.org>
Received: from smtp1-g21.free.fr (smtp1-g21.free.fr [IPv6:2a01:e0c:1:1599::10])
 by mail.server123.net (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Wed, 18 Jun 2014 17:37:24 +0200 (CEST)
Received: from molly.corsac.net (unknown [78.192.68.46])
 by smtp1-g21.free.fr (Postfix) with ESMTP id 60A93940140
 for <dm-crypt@saout.de>; Wed, 18 Jun 2014 17:37:24 +0200 (CEST)
Message-ID: <1403105834.19383.45.camel@scapa>
From: Yves-Alexis Perez <corsac@debian.org>
Date: Wed, 18 Jun 2014 17:37:14 +0200
In-Reply-To: <20140617181145.GA13435@tansi.org>
References: <1403012872.12239.YahooMailNeo@web120304.mail.ne1.yahoo.com>
 <20140617181145.GA13435@tansi.org>
Content-Type: multipart/signed; micalg="pgp-sha256";
 protocol="application/pgp-signature"; boundary="=-TRr+7Sm9CF/dTGyG5DNS"
Mime-Version: 1.0
Subject: Re: [dm-crypt] Two Factor Authentication With LUKS
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Arno Wagner <arno@wagner.name>, marcos marrero <jjunior2130@yahoo.com>
Cc: dm-crypt@saout.de


--=-TRr+7Sm9CF/dTGyG5DNS
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On mar., 2014-06-17 at 20:11 +0200, Arno Wagner wrote:
> But you should know than an RSA token does not provide any secret=20
> when used to authenticate. It proves that it knows a secret, but=20
> that secret is not transferred. Hence an RSA token is not suitable
> for use with disk encryption.=20

Well, if the hardware device is able to decrypt something (like a pkcs11
token or an OpenPGP smartcard, for example), it's at least possible to
store an encrypted keyfile somewhere accessible at boot, then ask the
token for decryption and feed that to cryptsetup.

I'm not sure if google authenticator and the RSA token you're talking
about fits in that description though.

Regards,
--=20
Yves-Alexis

--=-TRr+7Sm9CF/dTGyG5DNS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAABCAAGBQJTobIqAAoJEG3bU/KmdcClamgIAKBlocYobFSMKbxivvcmCWXC
jglqZP13TDOBc+ExhPsZ8ZTeuVvrC6s4WU1eY0VIjZeV+TlNO2vwKihl1lj92Vmo
3OjUwrHpT2Gbs+7fHEiMSgkkCjmERfQEYqRp9X43M0JuFy+TgEThF9GLSsWpMkS+
oDiRTmxAU4nHjB9IiGpB2gxPxqpAvUZBJQkHgfxtlkSTyddTZNXL4sLjFUph0kAR
pGFtnUZnGk0osTWM/byFAY1Ys9UGcm1WSee1C8PvXlRxm4VWBG+LZzCyDVgZLGvM
IkyLtAlSEegqrBpUX+YsCl/zDR2zR38CflASgKUInVNWMwrxmNxfKuuFXFKQ37g=
=slzX
-----END PGP SIGNATURE-----

--=-TRr+7Sm9CF/dTGyG5DNS--