From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1VF8hi-0003qy-BQ for mharc-grub-devel@gnu.org; Thu, 29 Aug 2013 16:20:30 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34358) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VF8hb-0003qj-05 for grub-devel@gnu.org; Thu, 29 Aug 2013 16:20:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VF8hV-00040Q-Dl for grub-devel@gnu.org; Thu, 29 Aug 2013 16:20:22 -0400 Received: from yes.iam.tj ([109.74.197.121]:59690 helo=iam.tj) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VF8hV-0003zS-88 for grub-devel@gnu.org; Thu, 29 Aug 2013 16:20:17 -0400 Received: from [10.254.251.50] (jeeves.iam.tj [82.71.24.87]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by iam.tj (Postfix) with ESMTPSA id 39EFC3407B for ; Thu, 29 Aug 2013 21:20:15 +0100 (BST) Message-ID: <521FACFE.1050906@iam.tj> Date: Thu, 29 Aug 2013 21:20:14 +0100 From: TJ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 MIME-Version: 1.0 To: grub-devel@gnu.org Subject: Re: LUKS Encryption and Fingerprint readers? References: <520D06F7.5030900@iam.tj> <20130829141327.25173ac9@crass-Ideapad-Z570> In-Reply-To: <20130829141327.25173ac9@crass-Ideapad-Z570> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 109.74.197.121 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Aug 2013 20:20:28 -0000 On 29/08/13 20:13, Glenn Washburn wrote: > On Thu, 15 Aug 2013 17:51:03 +0100 > TJ wrote: > >> So I'd like to know what support for key-files and/or fingerprint >> reading is/could be as input for LUKS unlocking? >> >> My other thought, to keep things simple, is to encrypt the entire >> hard drive and install GRUB and the /boot/ files on the removable USB >> key. More clunky but maybe easier to achieve. > > Based on this comment I assume you currently have an unencrypted boot > area on the harddrive and using an initrd. I've been using a classical unencrypted boot-loader and kernel/initrd with LUKS key-file protected file-systems on the servers and desktops. I've recently decided to standardise on a single model laptop, the Dell XPS m1530, which includes a fingerprint reader. A primary reason for selecting this model is its 3 mini-PCIe internal slots and good range of external interfaces, coupled with 8GB RAM, VDPAU-supporting Nvidia 8600M, 1920x1200 LCD, Blue-ray disc, proper MMC card reader, and ExpressCard/54. The laptops are easy to strip down and repair and parts are cheap and easy to come-by. The fingerprint reader is quite useful for trivial unlock and sudo authorisation and that made me think maybe more use could be made of it. The points about fingerprints being lifted from the keys to unlock it hadn't occurred to me - that'd be silly so I'm now moving to whole-disc encryption with the boot-loader, kernel, and initrd on a key-fob USB. I'd still like GRUB to be able to read a key-file rather than a typed pass-phrase, and have the key-file hidden on a (second) small (1GB) randomised-data USB flash device (no file-system) so even the operator can't be sure where to find the bytes that unlock it. If we can figure it out we'd like to be able to configure/unlock different LVM volumes based on which LUKS slot is used to unlock, too, and log the LUKS attempts from GRUB. Tall order I know, but the technology is there - we just have to join it up!