From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1VF7fA-0003MT-OC for mharc-grub-devel@gnu.org; Thu, 29 Aug 2013 15:13:48 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44441) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VF7f3-0003D8-NP for grub-devel@gnu.org; Thu, 29 Aug 2013 15:13:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VF7ex-0005bh-Qk for grub-devel@gnu.org; Thu, 29 Aug 2013 15:13:41 -0400 Received: from mail-oa0-f43.google.com ([209.85.219.43]:33774) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VF7ex-0005bG-M6 for grub-devel@gnu.org; Thu, 29 Aug 2013 15:13:35 -0400 Received: by mail-oa0-f43.google.com with SMTP id i10so1167999oag.30 for ; Thu, 29 Aug 2013 12:13:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-type:content-transfer-encoding; bh=LLY3kmRwHhzhqdyD3hie+irlCwMvEeKPIaM+Qh7jYmY=; b=HFtner1UeN1CEQNrX3SQqitSjFZS7PFR7BAOR+lbxX3lfCk02b3UvMP68T3ejBK2DY arZtI0W1oVPBbjR/HoOaFAxJ2zxslhTWP+gk8VrkRzjfasAkeTEPCRivmeClGgwesIEi 49Km2JcO4BBtKyr+hhSLlsfeZhxnylEUTUtorZr+EuHZmgRnoHDk0Q4EGY4nH5+hi9zC pVpz58MoDN+ctjmwyFGVjDbK6rXFryEXybil4uSFumg7Snh9+SWYobitpr28vu5XBdcE ZArJOlK+oYNF3XqEByYn+Gzb+mrfHksBR+nVAVolkrzWB/SygngA7vgyHbsM51mg/sj3 80+g== X-Gm-Message-State: ALoCoQmCxjqEERNi/0gnuMNg5g6ig7yKWOMgcGfiStytJAp3swAYs9m/JvHRF0MkN+jT0RfjEx7e X-Received: by 10.182.119.169 with SMTP id kv9mr3669074obb.66.1377803615089; Thu, 29 Aug 2013 12:13:35 -0700 (PDT) Received: from crass-Ideapad-Z570 (cpe-70-113-30-216.austin.res.rr.com. [70.113.30.216]) by mx.google.com with ESMTPSA id d3sm34032358oek.5.1969.12.31.16.00.00 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Thu, 29 Aug 2013 12:13:34 -0700 (PDT) Date: Thu, 29 Aug 2013 14:13:27 -0500 From: Glenn Washburn To: grub-devel@gnu.org Subject: Re: LUKS Encryption and Fingerprint readers? Message-ID: <20130829141327.25173ac9@crass-Ideapad-Z570> In-Reply-To: <520D06F7.5030900@iam.tj> References: <520D06F7.5030900@iam.tj> X-Mailer: Claws Mail 3.9.1 (GTK+ 2.24.17; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.85.219.43 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Aug 2013 19:13:47 -0000 On Thu, 15 Aug 2013 17:51:03 +0100 TJ wrote: > So I'd like to know what support for key-files and/or fingerprint > reading is/could be as input for LUKS unlocking? > > My other thought, to keep things simple, is to encrypt the entire > hard drive and install GRUB and the /boot/ files on the removable USB > key. More clunky but maybe easier to achieve. Based on this comment I assume you currently have an unencrypted boot area on the harddrive and using an initrd. In this case, grub need not be in the picture at all. Grub will load the kernel and initrd, who will then attempt to unlock the rest of the drive. Its at that stage that you'll want to include your secret gathering mechanism. So your you prospects are much brighter because you have all of linux at your disposal. Currently, I have my drive fully encrypted (excepting the luks header) and do a boot from USB. I use grub to decrypt the drive to load the encrypted kernel and initrd from there. So in my case, I would need to have grub support if I wanted to use some arbitrary auth mechanism. However, this could be mitigated by having the kernel and initrd on the USB. I don't find it clunky, if you always keep the USB on your person (eg on your keychain).