Re: cryptsetup Yubikey challenge-response support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am also interested, HMAC/SHA challenge-response for OnlyKey would be great addition to cryptsetup.
I do not think this should be product specific implementation, but general for all hardware tokens that support it: OnlyKey, Yubikey, Nitrokey, etc.
Adding Tim here, who is the maintainer of the OnlyKey project and may be interested. 

Thanks,
-Nik

On 4/8/20 10:37 AM, 7heo wrote:

Hello,

I believe this is a very good idea, but the implementation should not be limited to yubikey. There are other solutions out there (nitrokey is one) that would also need to be supported IMHO.

In addition, I would favor the implementation support of bare usb keys (mass storage), for those of us who wish to use their already-owned encrypted mass storage keys in order to unlock their drive.

I had started to implement this (the latter part) in the Alpine Linux initramfs some years ago but given the complexity of the task and the lack of public interest, coupled with FOSS politics, I gave up on it.

If you start working on an implementation, I'd be curious to see that and I could eventually participate.

Also, your email looks just fine to me :)

Cheers,
7heo

On Apr 8, 2020 09:54, Dan Farrell <djfarrell@xxxxxxxxx> wrote:


Hi,

Hopefully this email comes through without HTML and property wrapped,
sorry if it doesn't.

I am wondering if any group has started or is interested in adding
Yubikey challenge-response support to cryptsetup?

The idea would be to add the option to insert a USB key to (optionally
automagically) unlock at boot time (or whenever cryptsetup is
running). There would be a backup password of course.

I'm interested in doing this for myself if it's not underway at the
moment. I have some basic ideas on how to do this. I do realise this
could be done external to cryptsetup with distro support, but doing
that messing around with initramfs etc sounds painful, let alone each
distro would need be supported individually.

If it's of no interest, that's ok, I'll do it for myself. But if there
is interest I would be willing to work with maintainers to find the
best way to do this and contribute the effort.

Regards,

Dan Farrell
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt


_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux