On Thursday, August 9, 2018 at 10:13:54 AM UTC+1, Raffaele Florio wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > Hi all, > > I wrote a module for dracut to allow 2FA on LUKS. Currently it's a beta > version. AFAIK a native solution for dracut already exists, however it isn't > compatible with systemd and the latter is enabled by default. Furthermore it > uses GPG, but because there is already the LUKS support I prefer to use the > latter. Furthermore I find more useful a completely encrypted volume. > > > > > > > How it works? > > > > > > A target LUKS volume will be decrypted and attached iff the user provides a > password for another LUKS volume on which there is a key for the first > volume. So the user provides "something that possesses" (e.g. an SD card) and > "something that knows" (i.e. the password to unlock the SD card). In this way > to unlock the LUKS volume an attacker (excluding EM attack) needs a copy of > the volume and its password. I think that it's very useful to unlock the root > volume in this way. > > Currently this relation is specified with a kernel cmdline parameter: > rd.luks.2fa=UUID=keyfile_UUID:keyfile_path:UUID=target_UUID[:timeout]. This > parameter is translated by a systemd-generator to a systemd.service. > > > > > > > Why? > > > > > > I wrote this module because it's very common to have a single USB controller > that doesn't support any form of reset. For this reason I prefer to have that > controller permanently attached to a USBVM, so completely hidden from dom0. > Obviously it requires some other way (e.g. SD card reader) to read another > LUKS volume. From what I saw it's very common to have a separate SD card > reader that supports reset. So after the boot the SD card reader could be > attached to another qube (strongly reccomended). In this way future SD cards > aren't attached to dom0. > > > > > > What do you think? How could it be improved? > > > > > > Repo = https://github.com/raffaeleflorio/luks-2fa-dracut > > > > > > Best Regards, > > Raffaele. > > > > -----BEGIN PGP SIGNATURE----- > > > > iQIzBAEBCAAdFiEEXw2ov1HEFPFo+AVy07vJZYtrAOMFAltsBXgACgkQ07vJZYtr > > AOMeyA//RO4xEV9HaaMayRkubpSHraWjy08rmAyUakMt2sbmDvNOCYmShIMk9iMs > > kP6rHvq2mqEZaHdPGFlZpV5VK0mfKf39X2Z54M/A1LrmLlRWb3GDab18aEzzmscw > > +/uEIH0naqYNQSnB1Gl+YflmLAGascdYdBYdHpeF0PGGjxMeY5GbPSRE7cdGH5bv > > WejPKaBvBGGuHi9vmK6xFK/R+qI/lkA/mfIy4V/XTaKvLRw4yJ/sRaBbLKKwMSGd > > 2cjUaeR5xU5hmzWifkzZMC8UlOZKlfJZByYq5YGMK4HyOdQbxjB7X+oXnQ8lZuxu > > AGMLVOahyJIyRD1ZW2qsPpN/RmKwpccdKsMMgyIoip/wSlvXEHeRgzdWb7Oi32SM > > 99295Z/yECcKK/L7NqNxUkZKcN3khlCPSdD3Q7ZnMhHibnCXXjvJF3OFCg/ABSCg > > 2F6+zNASoJ8H+wk6ft0XyyM+u4owX+YJiStc0q9Zc8L4J+FP5OH9FWlEb9qtPk1f > > EH9asjn/2aJoyJeCF/cXu+jD9VLQFjiMSvfkXRRxSRsD3mgZEnShDG6ecjog3lLF > > hsL3wxVyJkrqCUbIZUhwYhhldLpqmel03LtS7U336Ya9Cy/3zkiit5WRYYCdZdQ5 > > N+AkgFu4e7DtUr2IkeVDeNUjHJ+1lqA5eXjBMR5eGPQI5cKsbug= > > =DKV4 > > -----END PGP SIGNATURE-----
Interesting, thanks. I will check it out when I get some time. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/7c1f58be-3796-4c2e-9d3d-b83bfc744460%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.