On Fri, Aug 30, 2013 at 11:10:39AM +0200, j.witvl...@mindef.nl wrote: > -----Original Message----- > From: grub-devel-bounces+j.witvliet=mindef...@gnu.org > [mailto:grub-devel-bounces+j.witvliet=mindef...@gnu.org] On Behalf Of TJ > Sent: Thursday, August 29, 2013 10:20 PM > To: grub-devel@gnu.org > Subject: Re: LUKS Encryption and Fingerprint readers? > > On 29/08/13 20:13, Glenn Washburn wrote: > > On Thu, 15 Aug 2013 17:51:03 +0100 > > TJ <grub-de...@iam.tj> wrote: > > > >> So I'd like to know what support for key-files and/or fingerprint > >> reading is/could be as input for LUKS unlocking? > >> > >> My other thought, to keep things simple, is to encrypt the entire > >> hard drive and install GRUB and the /boot/ files on the removable USB > >> key. More clunky but maybe easier to achieve. > > > > Based on this comment I assume you currently have an unencrypted boot > > area on the harddrive and using an initrd. > > I've been using a classical unencrypted boot-loader and kernel/initrd with > LUKS key-file protected file-systems on the servers and desktops. > > I've recently decided to standardise on a single model laptop, the Dell XPS > m1530, which includes a fingerprint reader. A primary reason for selecting > this model is its 3 mini-PCIe internal slots and > good range of external interfaces, coupled with 8GB RAM, VDPAU-supporting > Nvidia 8600M, 1920x1200 LCD, Blue-ray disc, proper MMC card reader, and > ExpressCard/54. The laptops are easy to strip down and > repair and parts are cheap and easy to come-by. > > The fingerprint reader is quite useful for trivial unlock and sudo > authorisation and that made me think maybe more use could be made of it. The > points about fingerprints being lifted from the keys to > unlock it hadn't occurred to me - that'd be silly so I'm now moving to > whole-disc encryption with the boot-loader, kernel, and initrd on a key-fob > USB. > > I'd still like GRUB to be able to read a key-file rather than a typed > pass-phrase, and have the key-file hidden on a (second) small (1GB) > randomised-data USB flash device (no file-system) so even the > operator can't be sure where to find the bytes that unlock it. > > If we can figure it out we'd like to be able to configure/unlock different > LVM volumes based on which LUKS slot is used to unlock, too, and log the LUKS > attempts from GRUB. > > Tall order I know, but the technology is there - we just have to join it up! > > -----Original Message----- > > Hi TJ, > > Are you very sure wanting this? > Some time ago i´ve been experimenting with fingerprints, and the result was > not encouraging... > From security point of view no that many problems (besides all well known > general issue´s with fingerprints). > I mean no false positive´s, but the huge amount of false-negatives: nine > times out of ten, I did not recognize correctly. Always glad I could still > use username & pwd. > As I was testing on IBM-Lenovo laptops, I think (hope) that those readers > were of decent quality... > > So unless the quality of the readers has improved drastically last five > years, you better think twice before embarking on such trip...
They have improved. The one on my W530 which is about 9 months old works very well. Even swiping on a slight angle is no longer a problem. I would say it only fails to recognize a swipe 1 in 20 times. Given how well it worked I was wondering if perhaps it was just letting everything through, but using fingers I didn't register has never worked any time I have tried, so it does seem they really have gotten better. -- Len Sorensen _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
