Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
On 26-08-2014 05:00, Maurice McCarthy wrote: > Yubikey 2.2+ static passwords went up to 38 characters and changeable by the user. Yubikey Neo is not changeable. Later this year there is supposed to be a public release of the NEO with U2F, Universal 2nd Factor including wireless support. It has been tested inside Google and elsewhere. NEO is twice the price now. You just need to take care to use only printable ASCII characters when using static passwords. Lesson learned the hard way. But they work fine otherwise. -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
On Tue, Aug 26, 2014 at 12:03:52AM + or thereabouts, Stuart Henderson wrote: > On 2014-08-23, Zach Leslie wrote: > > All yubikeys have the two slots, to my knowledge, which can be set either > > static or otp. > > Yes 2 slots - the gui and cli programming tools are in packages. > Not sure about newer ones, but older yubikeys are quite limited in > maximum static password length (16 chars iirc). > Yubikey 2.2+ static passwords went up to 38 characters and changeable by the user. Yubikey Neo is not changeable. Later this year there is supposed to be a public release of the NEO with U2F, Universal 2nd Factor including wireless support. It has been tested inside Google and elsewhere. NEO is twice the price now.
Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
On 2014-08-23, Zach Leslie wrote: > All yubikeys have the two slots, to my knowledge, which can be set either > static or otp. Yes 2 slots - the gui and cli programming tools are in packages. Not sure about newer ones, but older yubikeys are quite limited in maximum static password length (16 chars iirc).
Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
On August 23, 2014 6:26:04 PM CEST, "Артур Истомин" wrote: >On Sat, Aug 23, 2014 at 02:09:20PM +0200, Alexander Hall wrote: >> >> >> On August 23, 2014 4:33:55 AM CEST, "Артур Истомин" > wrote: >> >On Fri, Aug 22, 2014 at 04:03:59PM -0700, Zach Leslie wrote: >> >> > However, I don't know how it is seen by the system and if it >would >> >> > show up as a drive. Anyone in here is using a smart card to >decrypt >> >> > volumes at boot? >> >> >> >> You could use a YubiKey with a static long password to unlock the >> >boot >> >> volume. >> > >> >[offtop] >> > >> >Are there any YubiKey-like devices that can contain many static >> >password, not one like YubiKey? >> >> Not sure it helps, but mine contains two... > >I t helps! I need one for login password and second for firefox's >password >manager. Which model do you use? I don't actively use it, and I don't remember exactly, but it should be available from their list of models and datasheets...
Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
> > >Are there any YubiKey-like devices that can contain many static > > >password, not one like YubiKey? > > > > Not sure it helps, but mine contains two... > > It helps! I need one for login password and second for firefox's password > manager. Which model do you use? All yubikeys have the two slots, to my knowledge, which can be set either static or otp.
Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
On Sat, Aug 23, 2014 at 02:09:20PM +0200, Alexander Hall wrote: > > > On August 23, 2014 4:33:55 AM CEST, "Артур Истомин" > wrote: > >On Fri, Aug 22, 2014 at 04:03:59PM -0700, Zach Leslie wrote: > >> > However, I don't know how it is seen by the system and if it would > >> > show up as a drive. Anyone in here is using a smart card to decrypt > >> > volumes at boot? > >> > >> You could use a YubiKey with a static long password to unlock the > >boot > >> volume. > > > >[offtop] > > > >Are there any YubiKey-like devices that can contain many static > >password, not one like YubiKey? > > Not sure it helps, but mine contains two... It helps! I need one for login password and second for firefox's password manager. Which model do you use?
Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
On August 23, 2014 4:33:55 AM CEST, "Артур Истомин" wrote: >On Fri, Aug 22, 2014 at 04:03:59PM -0700, Zach Leslie wrote: >> > However, I don't know how it is seen by the system and if it would >> > show up as a drive. Anyone in here is using a smart card to decrypt >> > volumes at boot? >> >> You could use a YubiKey with a static long password to unlock the >boot >> volume. > >[offtop] > >Are there any YubiKey-like devices that can contain many static >password, not one like YubiKey? Not sure it helps, but mine contains two... /Alexander
Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
On 2014-08-22, Julien Meister wrote: > Thank you very much. > > So there is really really no way for the system to retrieve the key stored > on the smart card (using GnuPG) at boot in order to decrypt > the volumes? Correct, you can't run application programs like GnuPG before the system has booted.
Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
On Fri, Aug 22, 2014 at 04:03:59PM -0700, Zach Leslie wrote: > > However, I don't know how it is seen by the system and if it would > > show up as a drive. Anyone in here is using a smart card to decrypt > > volumes at boot? > > You could use a YubiKey with a static long password to unlock the boot > volume. [offtop] Are there any YubiKey-like devices that can contain many static password, not one like YubiKey?
Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
> However, I don't know how it is seen by the system and if it would > show up as a drive. Anyone in here is using a smart card to decrypt > volumes at boot? You could use a YubiKey with a static long password to unlock the boot volume. -- Zach [demime 1.01d removed an attachment of type application/pgp-signature]
Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
On Fri, Aug 22, 2014 at 08:01:27PM +0200, Julien Meister wrote: > So there is really really no way for the system to retrieve the key stored > on the smart card (using GnuPG) at boot in order to decrypt > the volumes? The boot loaders and the kernel only support softraid(4) keydisks created as part of crypto volumes with bioctl(8).
Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
Thank you very much. So there is really really no way for the system to retrieve the key stored on the smart card (using GnuPG) at boot in order to decrypt the volumes? I haven't bought the smartcard yet because I wanted to see first if it was usefull. The one I was planning to buy was en OpenPGP v2 SC: http://shop.kernelconcepts.de/product_info.php?products_id=42 However, I don't know how it is seen by the system and if it would show up as a drive. Anyone in here is using a smart card to decrypt volumes at boot? âThanks!â On Wed, Aug 20, 2014 at 8:13 PM, Ted Unangst wrote: > On Wed, Aug 20, 2014 at 18:11, Julien Meister wrote: > > Hello everbody, > > > > I'm from FreeBSD and I wanted to give OpenBSD a (new) try. > > > > I would like to have a full disk encryption (as I've seen it's possible > now > > with OpenBSD 5.5) and use a smart card to decrypt the volumes at > > boot, instead of having to type a password, which seems "less secure". > > > > I read a lot of articles to see how it works using bioctl but none are > > talking about using a smart card as a keydisk, only USB drive. > > > > If I understood correctly, when using "bioctl -k /path/of/RAID/keydisk", > > the key is created automatically and the encrypted RAID volume is > > associated to that "USB RAID partition keydisk". So the system can now > > boot only if the BIOS/UEFI finds that particular USB RAID partition. > > > > My questions are: > > > > 1) How to do the same thing using a Smart Card instead of a USB drive? > > > > 2) Is it possible to "copy" the image of the USB key disk to a Smart Card > > (or inversely) to be able to boot using either the USB or the Smart Card? > > > > 3) If the Smart card is used as a key disk to boot the system. Is it > > possible to configure that same smart card to access my home computer > > using SSH? (As if it was ONLY possible to SSH to my computer using that > > smartcard). > > This would depend a lot on your smart card. Does it show up as a disk, > like sd1 or sd2, like USB drives do? If so, then you do exactly what > you'd do with a USB drive. If not, then it's not supported.
Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
On Wed, Aug 20, 2014 at 18:11, Julien Meister wrote: > Hello everbody, > > I'm from FreeBSD and I wanted to give OpenBSD a (new) try. > > I would like to have a full disk encryption (as I've seen it's possible now > with OpenBSD 5.5) and use a smart card to decrypt the volumes at > boot, instead of having to type a password, which seems "less secure". > > I read a lot of articles to see how it works using bioctl but none are > talking about using a smart card as a keydisk, only USB drive. > > If I understood correctly, when using "bioctl -k /path/of/RAID/keydisk", > the key is created automatically and the encrypted RAID volume is > associated to that "USB RAID partition keydisk". So the system can now > boot only if the BIOS/UEFI finds that particular USB RAID partition. > > My questions are: > > 1) How to do the same thing using a Smart Card instead of a USB drive? > > 2) Is it possible to "copy" the image of the USB key disk to a Smart Card > (or inversely) to be able to boot using either the USB or the Smart Card? > > 3) If the Smart card is used as a key disk to boot the system. Is it > possible to configure that same smart card to access my home computer > using SSH? (As if it was ONLY possible to SSH to my computer using that > smartcard). This would depend a lot on your smart card. Does it show up as a disk, like sd1 or sd2, like USB drives do? If so, then you do exactly what you'd do with a USB drive. If not, then it's not supported.
OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
Hello everbody, I'm from FreeBSD and I wanted to give OpenBSD a (new) try. I would like to have a full disk encryption (as I've seen it's possible now with OpenBSD 5.5) and use a smart card to decrypt the volumes at boot, instead of having to type a password, which seems "less secure". I read a lot of articles to see how it works using bioctl but none are talking about using a smart card as a keydisk, only USB drive. If I understood correctly, when using "bioctl -k /path/of/RAID/keydisk", the key is created automatically and the encrypted RAID volume is associated to that "USB RAID partition keydisk". So the system can now boot only if the BIOS/UEFI finds that particular USB RAID partition. My questions are: 1) How to do the same thing using a Smart Card instead of a USB drive? 2) Is it possible to "copy" the image of the USB key disk to a Smart Card (or inversely) to be able to boot using either the USB or the Smart Card? 3) If the Smart card is used as a key disk to boot the system. Is it possible to configure that same smart card to access my home computer using SSH? (As if it was ONLY possible to SSH to my computer using that smartcard). Thank you very much for your help, I'm pretty new with those kind of things. Julien M