-----Original Message----- From: grub-devel-bounces+j.witvliet=mindef...@gnu.org [mailto:grub-devel-bounces+j.witvliet=mindef...@gnu.org] On Behalf Of TJ Sent: Thursday, August 29, 2013 10:20 PM To: grub-devel@gnu.org Subject: Re: LUKS Encryption and Fingerprint readers?
On 29/08/13 20:13, Glenn Washburn wrote: > On Thu, 15 Aug 2013 17:51:03 +0100 > TJ <grub-de...@iam.tj> wrote: > >> So I'd like to know what support for key-files and/or fingerprint >> reading is/could be as input for LUKS unlocking? >> >> My other thought, to keep things simple, is to encrypt the entire >> hard drive and install GRUB and the /boot/ files on the removable USB >> key. More clunky but maybe easier to achieve. > > Based on this comment I assume you currently have an unencrypted boot > area on the harddrive and using an initrd. I've been using a classical unencrypted boot-loader and kernel/initrd with LUKS key-file protected file-systems on the servers and desktops. I've recently decided to standardise on a single model laptop, the Dell XPS m1530, which includes a fingerprint reader. A primary reason for selecting this model is its 3 mini-PCIe internal slots and good range of external interfaces, coupled with 8GB RAM, VDPAU-supporting Nvidia 8600M, 1920x1200 LCD, Blue-ray disc, proper MMC card reader, and ExpressCard/54. The laptops are easy to strip down and repair and parts are cheap and easy to come-by. The fingerprint reader is quite useful for trivial unlock and sudo authorisation and that made me think maybe more use could be made of it. The points about fingerprints being lifted from the keys to unlock it hadn't occurred to me - that'd be silly so I'm now moving to whole-disc encryption with the boot-loader, kernel, and initrd on a key-fob USB. I'd still like GRUB to be able to read a key-file rather than a typed pass-phrase, and have the key-file hidden on a (second) small (1GB) randomised-data USB flash device (no file-system) so even the operator can't be sure where to find the bytes that unlock it. If we can figure it out we'd like to be able to configure/unlock different LVM volumes based on which LUKS slot is used to unlock, too, and log the LUKS attempts from GRUB. Tall order I know, but the technology is there - we just have to join it up! -----Original Message----- Hi TJ, Are you very sure wanting this? Some time ago i´ve been experimenting with fingerprints, and the result was not encouraging... >From security point of view no that many problems (besides all well known >general issue´s with fingerprints). I mean no false positive´s, but the huge amount of false-negatives: nine times out of ten, I did not recognize correctly. Always glad I could still use username & pwd. As I was testing on IBM-Lenovo laptops, I think (hope) that those readers were of decent quality... So unless the quality of the readers has improved drastically last five years, you better think twice before embarking on such trip... Hw ______________________________________________________________________ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel