On Fri, Oct 25, 2019 at 12:20 PM Normen Wohner <nor...@wohner.eu> wrote: > > > > > Am 24.10.2019 um 03:27 schrieb Aaron Mason <simplersolut...@gmail.com>: > > > > On Wed, Oct 23, 2019 at 7:45 PM Normen Wohner <nor...@wohner.eu> wrote: > >> > >> To enable two factor encryption? > >> One passcode is in his head the other on a key. > >> If either is missing the data on drive is unreadable. > >> I don’t know what is hard to understand about it. > >> In an ideal world you’d use the manual passcode > >> to decrypt the keydisk and then the keydisk > >> to decrypt the fs. > >> You should also not be able to tell > >> whether the keydisk was in fact encrypted, > >> the bootloader should try and on failure ask > >> for a passcode, not expect there to be some > >> 'RSA-2048' written at the end. > >> It’s hard for me to understand why nobody asked for this sooner. > >> > > > > You could just use a passphrase on the original disk to the same > > effect. No sense over-complicating things. > > No, you could not, that way whoever has the keydisk has access to the files > on disk, otherwise you still need a password. Not sure what is unclear about > this. Maybe you think this is about login? It is actually about obfuscating > the login process and enabling 2FA. > Maybe you think live files are still encrypted when the OS runs but no user > is logged in. That is sadly not the case.
Or maybe I think the password is asked for on boot. No access to files until that passphrase is entered, regardless of whether someone is logged in or not. If you wanted the files hidden prior to login, write two scripts - one to mount the encrypted volume, the other to unmount - allow them to be run without password in doas.conf(5), then run them from ~/.profile, using trap (see https://www.cyberciti.biz/faq/linux-unix-run-commands-when-you-log-out/ for more details) to run the unmount script on logoff. > > > Regarding your second question, whatever part or level of the "bootloader" > normally checks for keydisk already has access to the full range of supported > en- and decryption mechanisms as it uses the key to do just that to the disk. > This would simply add a second decrypt trial. > > That doesn't answer the question of how it's going to access an encrypted key without the key to decrypt it. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
