On Wed, Jun 18, 2014 at 17:37:14 CEST, Yves-Alexis Perez wrote: > On mar., 2014-06-17 at 20:11 +0200, Arno Wagner wrote: > > But you should know than an RSA token does not provide any secret > > when used to authenticate. It proves that it knows a secret, but > > that secret is not transferred. Hence an RSA token is not suitable > > for use with disk encryption. > > Well, if the hardware device is able to decrypt something (like a pkcs11 > token or an OpenPGP smartcard, for example), it's at least possible to > store an encrypted keyfile somewhere accessible at boot, then ask the > token for decryption and feed that to cryptsetup. True, but then the disk-encryption is done via that Smartcard or pkcs11 token. The RSA token would just communicate with them and not with the disk-encryption and it becomes a different problem. > I'm not sure if google authenticator and the RSA token you're talking > about fits in that description though. I am not sure either. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. - Plato _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
