On Thu, 15 Aug 2013 17:51:03 +0100 TJ <grub-de...@iam.tj> wrote: > So I'd like to know what support for key-files and/or fingerprint > reading is/could be as input for LUKS unlocking? > > My other thought, to keep things simple, is to encrypt the entire > hard drive and install GRUB and the /boot/ files on the removable USB > key. More clunky but maybe easier to achieve.
Based on this comment I assume you currently have an unencrypted boot area on the harddrive and using an initrd. In this case, grub need not be in the picture at all. Grub will load the kernel and initrd, who will then attempt to unlock the rest of the drive. Its at that stage that you'll want to include your secret gathering mechanism. So your you prospects are much brighter because you have all of linux at your disposal. Currently, I have my drive fully encrypted (excepting the luks header) and do a boot from USB. I use grub to decrypt the drive to load the encrypted kernel and initrd from there. So in my case, I would need to have grub support if I wanted to use some arbitrary auth mechanism. However, this could be mitigated by having the kernel and initrd on the USB. I don't find it clunky, if you always keep the USB on your person (eg on your keychain). _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
