From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1VA0le-0003QM-4L for mharc-grub-devel@gnu.org; Thu, 15 Aug 2013 12:51:22 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56735) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VA0lV-0003Oa-L8 for grub-devel@gnu.org; Thu, 15 Aug 2013 12:51:20 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VA0lP-0004x3-Lj for grub-devel@gnu.org; Thu, 15 Aug 2013 12:51:13 -0400 Received: from yes.iam.tj ([109.74.197.121]:50597 helo=iam.tj) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VA0lP-0004wT-Fz for grub-devel@gnu.org; Thu, 15 Aug 2013 12:51:07 -0400 Received: from [10.254.251.50] (jeeves.iam.tj [82.71.24.87]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by iam.tj (Postfix) with ESMTPSA id D78463407B for ; Thu, 15 Aug 2013 17:51:04 +0100 (BST) Message-ID: <520D06F7.5030900@iam.tj> Date: Thu, 15 Aug 2013 17:51:03 +0100 From: TJ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 MIME-Version: 1.0 To: grub-devel@gnu.org Subject: LUKS Encryption and Fingerprint readers? Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 109.74.197.121 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Aug 2013 16:51:20 -0000 I was searching for any hint that GRUB might support using a fingerprint reading device as input for unlocking encryption. I found discussion on the mailing list from 2009 centred mostly around TPM which didn't seem to go anywhere, so I wondered what the current thoughts are on supporting one? The use-case I have is a fleet of laptops equipped with fingerprint readers running Linux which need to be secure in the event of theft. BIOS passwords will be used. The hard disks will be using full-disk LUKS encryption. I'd like to avoid using pass-phrases since complex phrases inevitably end up being forgotten by users, which points to using a key-file. I've been unsuccessful in determining if support for a key-file via an external USB device is supported, but that led me to thinking that using the built-in fingerprint reader as a source of the key (via integration of the libfprint [1]) might also be possible. So I'd like to know what support for key-files and/or fingerprint reading is/could be as input for LUKS unlocking? My other thought, to keep things simple, is to encrypt the entire hard drive and install GRUB and the /boot/ files on the removable USB key. More clunky but maybe easier to achieve. [1] http://www.freedesktop.org/wiki/Software/fprint/libfprint/