From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wagner@tansi.org>
Received: from v6.tansi.org (ns.km31936-01.keymachine.de [87.118.116.4])
 by mail.server123.net (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Wed, 18 Jun 2014 21:41:05 +0200 (CEST)
Received: from gatewagner.dyndns.org (77-57-44-24.dclient.hispeed.ch
 [77.57.44.24]) by v6.tansi.org (Postfix) with ESMTPA id A9E1C20DC1E9
 for <dm-crypt@saout.de>; Wed, 18 Jun 2014 21:41:04 +0200 (CEST)
Date: Wed, 18 Jun 2014 21:41:03 +0200
From: Arno Wagner <arno@wagner.name>
Message-ID: <20140618194103.GA4293@tansi.org>
References: <1403012872.12239.YahooMailNeo@web120304.mail.ne1.yahoo.com>
 <20140617181145.GA13435@tansi.org>
 <1403105834.19383.45.camel@scapa>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1403105834.19383.45.camel@scapa>
Subject: Re: [dm-crypt] Two Factor Authentication With LUKS
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On Wed, Jun 18, 2014 at 17:37:14 CEST, Yves-Alexis Perez wrote:
> On mar., 2014-06-17 at 20:11 +0200, Arno Wagner wrote:
> > But you should know than an RSA token does not provide any secret 
> > when used to authenticate. It proves that it knows a secret, but 
> > that secret is not transferred. Hence an RSA token is not suitable
> > for use with disk encryption. 
> 
> Well, if the hardware device is able to decrypt something (like a pkcs11
> token or an OpenPGP smartcard, for example), it's at least possible to
> store an encrypted keyfile somewhere accessible at boot, then ask the
> token for decryption and feed that to cryptsetup.

True, but then the disk-encryption is done via that Smartcard or
pkcs11 token. The RSA token would just communicate with them
and not with the disk-encryption and it becomes a different 
problem.
 
> I'm not sure if google authenticator and the RSA token you're talking
> about fits in that description though.

I am not sure either. 

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato