By now I beleive if you really want an entcypted boot process, the best option is to get an encrypted USB stick (with keyboard) and put the initrd on that. Remove after booting and preferrably before the net is up. I have done initrd on usb stick with hardcoded LUKS passphrase, so that should work nicely. A diskAshur Pro or something like it should do the trick, but make sure you get something some atrual security experts have looked at. My scenario for that was a server in a data-center to be rebooted by a helper that has no access, but if needed gets the code to a safe over the phone and there is the data-center chip card, key and the USB stick in there. Plug in, boot server, remove stick, put back in safe and lock save. I think the person that would actually have done it would have been our company cleaner (smart person, displaced unfortunately and cannot get a better job, but has very high personal integrity). BTW, that is where the serpective section in the FAQ comes from. Regards, Arno On Wed, Dec 23, 2020 at 15:08:51 CET, JT Morée wrote: > Purism (among others) has done some work around using tokens with luks > etc. I have a few pages also. I use a librem key and LUKS encrypted root > partition. Using Tokens in the linux boot process is still very immature > but possible. > > boot is unencrypted because it is nontrivial to get the boot process to be > completely encrypted. One my purism system pureboot handles verifying the > files in /boot. In theory, a secure boot setup on other systems can do > the same. > > https://docs.puri.sm/PureBoot.html > https://sites.google.com/site/jtmoree/knowledge-base/cryptsetup-luks-and-smart-cards?authuser=0 > > > JT > > > > > On Tuesday, December 22, 2020, 5:10:40 AM MST, Fabio Martins <fm.crypt1@xxxxxxxxxxxxxxxxxxxxxx> wrote: > > Hi, > > Would like to know if is it possible to use FDE + low cost HSM (Yubico > like) on boot with LUKS. > > My idea being you need a passphrase (something you know) + something you > have (HSM) to achieve real security. > > If not, is there a direction where such addition can be worked out? > > Thanks. > > -- > > fm > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > https://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
