[dm-crypt] Two Factor Authentication With LUKS

Yves-Alexis Perez corsac at debian.org
Wed Jun 18 17:37:14 CEST 2014


On mar., 2014-06-17 at 20:11 +0200, Arno Wagner wrote:
> But you should know than an RSA token does not provide any secret 
> when used to authenticate. It proves that it knows a secret, but 
> that secret is not transferred. Hence an RSA token is not suitable
> for use with disk encryption. 

Well, if the hardware device is able to decrypt something (like a pkcs11
token or an OpenPGP smartcard, for example), it's at least possible to
store an encrypted keyfile somewhere accessible at boot, then ask the
token for decryption and feed that to cryptsetup.

I'm not sure if google authenticator and the RSA token you're talking
about fits in that description though.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20140618/80721dfb/attachment.asc>


More information about the dm-crypt mailing list