-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi all, I wrote a module for dracut to allow 2FA on LUKS. Currently it's a beta version. AFAIK a native solution for dracut already exists, however it isn't compatible with systemd and the latter is enabled by default. Furthermore it uses GPG, but because there is already the LUKS support I prefer to use the latter. Furthermore I find more useful a completely encrypted volume.
> How it works? A target LUKS volume will be decrypted and attached iff the user provides a password for another LUKS volume on which there is a key for the first volume. So the user provides "something that possesses" (e.g. an SD card) and "something that knows" (i.e. the password to unlock the SD card). In this way to unlock the LUKS volume an attacker (excluding EM attack) needs a copy of the volume and its password. I think that it's very useful to unlock the root volume in this way. Currently this relation is specified with a kernel cmdline parameter: rd.luks.2fa=UUID=keyfile_UUID:keyfile_path:UUID=target_UUID[:timeout]. This parameter is translated by a systemd-generator to a systemd.service. > Why? I wrote this module because it's very common to have a single USB controller that doesn't support any form of reset. For this reason I prefer to have that controller permanently attached to a USBVM, so completely hidden from dom0. Obviously it requires some other way (e.g. SD card reader) to read another LUKS volume. From what I saw it's very common to have a separate SD card reader that supports reset. So after the boot the SD card reader could be attached to another qube (strongly reccomended). In this way future SD cards aren't attached to dom0. What do you think? How could it be improved? Repo = https://github.com/raffaeleflorio/luks-2fa-dracut Best Regards, Raffaele. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXw2ov1HEFPFo+AVy07vJZYtrAOMFAltsBXgACgkQ07vJZYtr AOMeyA//RO4xEV9HaaMayRkubpSHraWjy08rmAyUakMt2sbmDvNOCYmShIMk9iMs kP6rHvq2mqEZaHdPGFlZpV5VK0mfKf39X2Z54M/A1LrmLlRWb3GDab18aEzzmscw +/uEIH0naqYNQSnB1Gl+YflmLAGascdYdBYdHpeF0PGGjxMeY5GbPSRE7cdGH5bv WejPKaBvBGGuHi9vmK6xFK/R+qI/lkA/mfIy4V/XTaKvLRw4yJ/sRaBbLKKwMSGd 2cjUaeR5xU5hmzWifkzZMC8UlOZKlfJZByYq5YGMK4HyOdQbxjB7X+oXnQ8lZuxu AGMLVOahyJIyRD1ZW2qsPpN/RmKwpccdKsMMgyIoip/wSlvXEHeRgzdWb7Oi32SM 99295Z/yECcKK/L7NqNxUkZKcN3khlCPSdD3Q7ZnMhHibnCXXjvJF3OFCg/ABSCg 2F6+zNASoJ8H+wk6ft0XyyM+u4owX+YJiStc0q9Zc8L4J+FP5OH9FWlEb9qtPk1f EH9asjn/2aJoyJeCF/cXu+jD9VLQFjiMSvfkXRRxSRsD3mgZEnShDG6ecjog3lLF hsL3wxVyJkrqCUbIZUhwYhhldLpqmel03LtS7U336Ya9Cy/3zkiit5WRYYCdZdQ5 N+AkgFu4e7DtUr2IkeVDeNUjHJ+1lqA5eXjBMR5eGPQI5cKsbug= =DKV4 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/j_un6GgKGfCjFrUy8iWkX5iXkOWS3W-UO18EkhuzbgZTTYsLmMZlEYPudLaX339YJWgHl6soA3Mh_u5duTJpqiXAchwBT0b796kG-0z9TS0%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
