Re: LUKS Encryption and Fingerprint readers?

["Lennart Sorensen" <lsorense@csclub.uwaterloo.ca>]

On Fri, Aug 30, 2013 at 11:10:39AM +0200, J.Witvliet@mindef.nl wrote:
> -----Original Message-----
> From: grub-devel-bounces+j.witvliet=mindef.nl@gnu.org [mailto:grub-devel-bounces+j.witvliet=mindef.nl@gnu.org] On Behalf Of TJ
> Sent: Thursday, August 29, 2013 10:20 PM
> To: grub-devel@gnu.org
> Subject: Re: LUKS Encryption and Fingerprint readers?
> 
> On 29/08/13 20:13, Glenn Washburn wrote:
> > On Thu, 15 Aug 2013 17:51:03 +0100
> > TJ <grub-devel@iam.tj> wrote:
> > 
> >> So I'd like to know what support for key-files and/or fingerprint
> >> reading is/could be as input for LUKS unlocking?
> >>
> >> My other thought, to keep things simple, is to encrypt the entire
> >> hard drive and install GRUB and the /boot/ files on the removable USB
> >> key. More clunky but maybe easier to achieve.
> > 
> > Based on this comment I assume you currently have an unencrypted boot
> > area on the harddrive and using an initrd.
> 
> I've been using a classical unencrypted boot-loader and kernel/initrd with LUKS key-file protected file-systems on the servers and desktops.
> 
> I've recently decided to standardise on a single model laptop, the Dell XPS m1530, which includes a fingerprint reader. A primary reason for selecting this model is its 3 mini-PCIe internal slots and
> good range of external interfaces, coupled with 8GB RAM, VDPAU-supporting Nvidia 8600M, 1920x1200 LCD, Blue-ray disc, proper MMC card reader, and ExpressCard/54. The laptops are easy to strip down and
> repair and parts are cheap and easy to come-by.
> 
> The fingerprint reader is quite useful for trivial unlock and sudo authorisation and that made me think maybe more use could be made of it. The points about fingerprints being lifted from the keys to
> unlock it hadn't occurred to me - that'd be silly so I'm now moving to whole-disc encryption with the boot-loader, kernel, and initrd on a key-fob USB.
> 
> I'd still like GRUB to be able to read a key-file rather than a typed pass-phrase, and have the key-file hidden on a (second) small (1GB) randomised-data USB flash device (no file-system) so even the
> operator can't be sure where to find the bytes that unlock it.
> 
> If we can figure it out we'd like to be able to configure/unlock different LVM volumes based on which LUKS slot is used to unlock, too, and log the LUKS attempts from GRUB.
> 
> Tall order I know, but the technology is there - we just have to join it up!
> 
> -----Original Message-----
> 
> Hi TJ,
> 
> Are you very sure wanting this?
> Some time ago i´ve been experimenting with fingerprints, and the result was not encouraging...
> From security point of view no that many problems (besides all well known general issue´s with fingerprints).
> I mean no false positive´s, but the huge amount of false-negatives:  nine times out of ten, I did not recognize correctly. Always glad I could still use  username & pwd.
> As I was testing on IBM-Lenovo laptops, I think (hope) that those readers were of decent quality...
> 
> So unless the quality of the readers has improved drastically last five years, you better think twice before embarking on such trip...

They have improved.  The one on my W530 which is about 9 months old
works very well.  Even swiping on a slight angle is no longer a problem.
I would say it only fails to recognize a swipe 1 in 20 times.  Given how
well it worked I was wondering if perhaps it was just letting everything
through, but using fingers I didn't register has never worked any time
I have tried, so it does seem they really have gotten better.

-- 
Len Sorensen