On Sunday, September 10, 2017 at 6:02:24 PM UTC-4, [email protected] wrote: > On Monday, 29 August 2016 01:34:11 UTC-4, Raphael Susewind wrote: > > > while initially I thought it would be interesting to try, the only > > > situation when yubikey could actually improve security is having to boot > > > a Qubes PC under unavoidable surveilance. > > > > came to the same conclusion - probably not worth the security > > tradeoff... Perhaps one can implement a 2FA solution for FDE using > > something like paperkey? It would still be the 'someone peeks over my > > shoulder in a cafe' kind of scenario, but without the USB compromise > > It is not just 'unavoidable surveillance'. > Qubes doesn't just run on Laptops. Think about Desktops. They require USB > Keyboards since most modern desktop systems don't have PS/2. And since they > require USB Keyboards to enter the LUKS Passphrase, that means the > "rd.qubes.hide_all_usb" option in the bootloader will render the whole system > inaccessible. So USB security at boot time is not an option, therefore, not > a tradeoff with 2FA. > > It isn't for the "lazy" people either. 2FA means that I don't have to weaken > my passphrase so its memorable. And if snooped by some Evil Maid attack > methods, they'll need to pull the token from my cold dead hands too. > > I am hoping someone will finish this idea and make it available, especially > for desktop users with yubikey. > Unfortunately, I don't have much knowledge on initramfs or dracut to produce > something usable myself. I have searched all over, and only find the same > abandoned ideas, or directions to using Yubikey for something other than > LUKS, or on a Debian based system. > > Please help. > Thank you.
almost all motherboards still come with ps/2. only budget gaming ones don't. but even most gaming ones do. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e56661ec-c3bb-4b44-9c7d-a34e69d19e68%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
