Purism (among others) has done some work around using tokens with luks etc. I have a few pages also. I use a librem key and LUKS encrypted root partition. Using Tokens in the linux boot process is still very immature but possible. boot is unencrypted because it is nontrivial to get the boot process to be completely encrypted. One my purism system pureboot handles verifying the files in /boot. In theory, a secure boot setup on other systems can do the same. https://docs.puri.sm/PureBoot.html https://sites.google.com/site/jtmoree/knowledge-base/cryptsetup-luks-and-smart-cards?authuser=0 JT On Tuesday, December 22, 2020, 5:10:40 AM MST, Fabio Martins <fm.crypt1@xxxxxxxxxxxxxxxxxxxxxx> wrote: Hi, Would like to know if is it possible to use FDE + low cost HSM (Yubico like) on boot with LUKS. My idea being you need a passphrase (something you know) + something you have (HSM) to achieve real security. If not, is there a direction where such addition can be worked out? Thanks. -- fm _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
