Thanks for the answers. My setup wanted is both for personal computer and commercial server use. Password + Open/Low cost HSM - to be built locally (Brazil). The solution that is more close to my goal is the Purism. I understand it is a company product, without specs to build the HSM yourself. diskAshur PRO2 is also very interesting. Thanks for the inputs, I will try to put them together to build a local one. Regards, -fm > By now I beleive if you really want an entcypted boot process, > the best option is to get an encrypted USB stick (with keyboard) > and put the initrd on that. Remove after booting and preferrably > before the net is up. I have done initrd on usb stick > with hardcoded LUKS passphrase, so that should work nicely. > > A diskAshur Pro or something like it should do the trick, but > make sure you get something some atrual security experts > have looked at. > > My scenario for that was a server in a data-center to be rebooted > by a helper that has no access, but if needed gets the code to > a safe over the phone and there is the data-center chip card, > key and the USB stick in there. Plug in, boot server, remove > stick, put back in safe and lock save. I think the person that > would actually have done it would have been our company cleaner > (smart person, displaced unfortunately and cannot get a better > job, but has very high personal integrity). > > BTW, that is where the serpective section in the FAQ comes from. > > Regards, > Arno > > > > On Wed, Dec 23, 2020 at 15:08:51 CET, JT Morée wrote: >> Purism (among others) has done some work around using tokens with luks >> etc. I have a few pages also. I use a librem key and LUKS encrypted >> root >> partition. Using Tokens in the linux boot process is still very >> immature >> but possible. >> >> boot is unencrypted because it is nontrivial to get the boot process to >> be >> completely encrypted. One my purism system pureboot handles verifying >> the >> files in /boot. In theory, a secure boot setup on other systems can do >> the same. >> >> https://docs.puri.sm/PureBoot.html >> https://sites.google.com/site/jtmoree/knowledge-base/cryptsetup-luks-and-smart-cards?authuser=0 >> >> >> JT >> >> >> >> >> On Tuesday, December 22, 2020, 5:10:40 AM MST, Fabio Martins >> <fm.crypt1@xxxxxxxxxxxxxxxxxxxxxx> wrote: >> >> Hi, >> >> Would like to know if is it possible to use FDE + low cost HSM (Yubico >> like) on boot with LUKS. >> >> My idea being you need a passphrase (something you know) + something you >> have (HSM) to achieve real security. >> >> If not, is there a direction where such addition can be worked out? >> >> Thanks. >> >> -- >> >> fm >> >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@xxxxxxxx >> https://www.saout.de/mailman/listinfo/dm-crypt >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@xxxxxxxx >> https://www.saout.de/mailman/listinfo/dm-crypt > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D > 9718 > ---- > A good decision is based on knowledge and not on numbers. -- Plato > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > https://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
