Re: FDE with passphrase + low cost HSM in LUKS on boot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for the answers.

My setup wanted is both for personal computer and commercial server use.
Password + Open/Low cost HSM - to be built locally (Brazil).

The solution that is more close to my goal is the Purism. I understand it
is a company product, without specs to build the HSM yourself.

diskAshur PRO2 is also very interesting.

Thanks for the inputs, I will try to put them together to build a local one.

Regards,

-fm

> By now I beleive if you really want an entcypted boot process,
> the best option is to get an encrypted USB stick (with keyboard)
> and put the initrd on that. Remove after booting and preferrably
> before the net is up. I have done initrd on usb stick
> with hardcoded LUKS passphrase, so that should work nicely.
>
> A diskAshur Pro or something like it should do the trick, but
> make sure you get something some atrual security experts
> have looked at.
>
> My scenario for that was a server in a data-center to be rebooted
> by a helper that has no access, but if needed gets the code to
> a safe over the phone and there is the data-center chip card,
> key and the USB stick in there. Plug in, boot server, remove
> stick, put back in safe and lock save. I think the person that
> would actually have done it would have been our company cleaner
> (smart person, displaced unfortunately and cannot get a better
> job, but has very high personal integrity).
>
> BTW, that is where the serpective section in the FAQ comes from.
>
> Regards,
> Arno
>
>
>
> On Wed, Dec 23, 2020 at 15:08:51 CET, JT Morée wrote:
>> Purism (among others) has done some work around using tokens with luks
>> etc.  I have a few pages also.  I use a librem key and LUKS encrypted
>> root
>> partition.  Using Tokens in the linux boot process is still very
>> immature
>> but possible.
>>
>> boot is unencrypted because it is nontrivial to get the boot process to
>> be
>> completely encrypted.  One my purism system pureboot handles verifying
>> the
>> files in /boot.  In theory, a secure boot setup on other systems can do
>> the same.
>>
>> https://docs.puri.sm/PureBoot.html
>> https://sites.google.com/site/jtmoree/knowledge-base/cryptsetup-luks-and-smart-cards?authuser=0
>>
>>
>> JT
>>
>>
>>
>>
>> On Tuesday, December 22, 2020, 5:10:40 AM MST, Fabio Martins
>> <fm.crypt1@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>>
>> Hi,
>>
>> Would like to know if is it possible to use FDE + low cost HSM (Yubico
>> like) on boot with LUKS.
>>
>> My idea being you need a passphrase (something you know) + something you
>> have (HSM) to achieve real security.
>>
>> If not, is there a direction where such addition can be worked out?
>>
>> Thanks.
>>
>> --
>>
>> fm
>>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@xxxxxxxx
>> https://www.saout.de/mailman/listinfo/dm-crypt
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@xxxxxxxx
>> https://www.saout.de/mailman/listinfo/dm-crypt
>
> --
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@xxxxxxxxxxx
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D
> 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
>
> If it's in the news, don't worry about it.  The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> https://www.saout.de/mailman/listinfo/dm-crypt
>




_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt




[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux