[dm-crypt] Two Factor Authentication With LUKS

Arno Wagner arno at wagner.name
Wed Jun 18 21:41:03 CEST 2014

On Wed, Jun 18, 2014 at 17:37:14 CEST, Yves-Alexis Perez wrote:
> On mar., 2014-06-17 at 20:11 +0200, Arno Wagner wrote:
> > But you should know than an RSA token does not provide any secret 
> > when used to authenticate. It proves that it knows a secret, but 
> > that secret is not transferred. Hence an RSA token is not suitable
> > for use with disk encryption. 
> Well, if the hardware device is able to decrypt something (like a pkcs11
> token or an OpenPGP smartcard, for example), it's at least possible to
> store an encrypted keyfile somewhere accessible at boot, then ask the
> token for decryption and feed that to cryptsetup.

True, but then the disk-encryption is done via that Smartcard or
pkcs11 token. The RSA token would just communicate with them
and not with the disk-encryption and it becomes a different 
> I'm not sure if google authenticator and the RSA token you're talking
> about fits in that description though.

I am not sure either. 

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -  Plato

More information about the dm-crypt mailing list