On Monday, 29 August 2016 01:34:11 UTC-4, Raphael Susewind wrote: > > while initially I thought it would be interesting to try, the only > > situation when yubikey could actually improve security is having to boot a > > Qubes PC under unavoidable surveilance. > > came to the same conclusion - probably not worth the security > tradeoff... Perhaps one can implement a 2FA solution for FDE using > something like paperkey? It would still be the 'someone peeks over my > shoulder in a cafe' kind of scenario, but without the USB compromise
It is not just 'unavoidable surveillance'. Qubes doesn't just run on Laptops. Think about Desktops. They require USB Keyboards since most modern desktop systems don't have PS/2. And since they require USB Keyboards to enter the LUKS Passphrase, that means the "rd.qubes.hide_all_usb" option in the bootloader will render the whole system inaccessible. So USB security at boot time is not an option, therefore, not a tradeoff with 2FA. It isn't for the "lazy" people either. 2FA means that I don't have to weaken my passphrase so its memorable. And if snooped by some Evil Maid attack methods, they'll need to pull the token from my cold dead hands too. I am hoping someone will finish this idea and make it available, especially for desktop users with yubikey. Unfortunately, I don't have much knowledge on initramfs or dracut to produce something usable myself. I have searched all over, and only find the same abandoned ideas, or directions to using Yubikey for something other than LUKS, or on a Debian based system. Please help. Thank you. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/322e0c18-8d97-49b8-a96e-911bc029e510%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
