[dm-crypt] Two Factor Authentication With LUKS
arno at wagner.name
Wed Jun 18 21:41:03 CEST 2014
On Wed, Jun 18, 2014 at 17:37:14 CEST, Yves-Alexis Perez wrote:
> On mar., 2014-06-17 at 20:11 +0200, Arno Wagner wrote:
> > But you should know than an RSA token does not provide any secret
> > when used to authenticate. It proves that it knows a secret, but
> > that secret is not transferred. Hence an RSA token is not suitable
> > for use with disk encryption.
> Well, if the hardware device is able to decrypt something (like a pkcs11
> token or an OpenPGP smartcard, for example), it's at least possible to
> store an encrypted keyfile somewhere accessible at boot, then ask the
> token for decryption and feed that to cryptsetup.
True, but then the disk-encryption is done via that Smartcard or
pkcs11 token. The RSA token would just communicate with them
and not with the disk-encryption and it becomes a different
> I'm not sure if google authenticator and the RSA token you're talking
> about fits in that description though.
I am not sure either.
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. - Plato
More information about the dm-crypt