Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Ideas to store keys to unlock luks partitions
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
axl
l33t
l33t


Joined: 11 Oct 2002
Posts: 825
Location: Romania

PostPosted: Fri Mar 29, 2019 8:23 am    Post subject: Ideas to store keys to unlock luks partitions Reply with quote

I've been using luks for years now. And as anyone that has been using this technology would tell you, it's just as safe as you are making the key safe. So where do you store the key? There's always the possibility to use a password, but that's kinda not in the spirit of this post. I'm exploring other options, especially remote unlocking.

So passwords aside, how are people using this? Well... passwords. Ok... Other than passwords. Well, keyfiles. And where do they keep the keyfiles? It seems to me the preferred option is on a usb stick. Which is like a key. Right? Both dracut and genkernel do exactly that.

But I was thinking of taking it a step further. And I have various systems where I'd like to try different things. First of all, I want to try an online system. Let's say I have a laptop that has a camera included. It would be pretty easy to include in the initrd support for network, curl, and the camera in the laptop and request a key from a website, and also include a photo of the person in front of the laptop.

Also have 2 systems that have biometric digit scanner for the finger, I was thinking of somehow turning those scans into a key and maybe use that to unlock. Also voice scan. These sort of things might sound wacky, but if you can do them on the main system, it's pretty easy to isolate the libraries and binaries to put them inside initrd and use them for this purpose.

That's about it. In my personal case, I have cameras in the server room, I could check those to see if to allow a webserver to distribute a key for a reboot. Its somewhat trivial to make a request system. System boots, reaches point it needs key, starts network, makes a request on a webpage, the server sends me a notification on the phone, i check who's in the server room, either enable key or not. all done through https. But while thinking about my own little problem I kept running into other ideas about where and how to secure the key.

So I was wondering, what other ideas did you come up with?

BTW, the ability to include the initrd inside the kernel and keep it all tight in one file, is keeping me ahead one step of my son, first of all and my colleagues. But one of these days they will figure out how to split the kernel apart, take out the initrd, uncompress it and surprise surprise the key is inside. They haven't figured yet the key is in the initrd but I feel the clock ticking. So I'm considering alternative hiding places.
Back to top
View user's profile Send private message
erm67
Guru
Guru


Joined: 01 Nov 2005
Posts: 564
Location: EU

PostPosted: Fri Mar 29, 2019 10:23 am    Post subject: Reply with quote

https://github.com/cornelinux/yubikey-luks + yubikey NFC + unlock with smile on the yubikey app on the mobile :-)
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net
Back to top
View user's profile Send private message
axl
l33t
l33t


Joined: 11 Oct 2002
Posts: 825
Location: Romania

PostPosted: Sat Mar 30, 2019 12:37 pm    Post subject: Reply with quote

erm67 wrote:
https://github.com/cornelinux/yubikey-luks + yubikey NFC + unlock with smile on the yubikey app on the mobile :-)


I would have never thought this is a business. https://www.yubico.com/. But apparently it is. Anyway, thanks for the post. :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum