/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate 2FA/YubiKey into LUKS #2712

Open
rugk opened this Issue Mar 18, 2017 · 3 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Far in the future
4 participants
@rugk @andrewdavidwong @Joeviocoe @marmarek
@rugk

rugk commented Mar 18, 2017

It would be nice if you could integrate the 2FA/YubiKey into luks.

See these instructions and this site e.g.

@rugk rugk changed the title from Integrate 2FA/YubiKey to Integrate 2FA/YubiKey into LUKS Mar 18, 2017

@andrewdavidwong andrewdavidwong added crypto enhancement help wanted P: minor labels Mar 18, 2017

@andrewdavidwong andrewdavidwong added this to the Far in the future milestone Mar 18, 2017

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Mar 18, 2017

Member

Related: #1979
Member

andrewdavidwong commented Mar 18, 2017

Related: #1979

@andrewdavidwong andrewdavidwong added the C: other label Mar 18, 2017

@Joeviocoe

This comment has been minimized.

Show comment
Hide comment
@Joeviocoe

Joeviocoe Sep 10, 2017

Qubes doesn't just run on Laptops. Think about Desktops. They require USB Keyboards since most modern desktop systems don't have PS/2. And since they require USB Keyboards to enter the LUKS Passphrase, that means the "rd.qubes.hide_all_usb" option in the bootloader will render the whole system inaccessible. So USB security at boot time is not an option, therefore, not a tradeoff with 2FA for LUKS.

2FA means that I don't have to weaken my passphrase so its memorable. And if snooped by some Evil Maid attack methods, they'll need to pull the token from my cold dead hands too. AEM for Qubes only works with USB storage, not Yubikey Challenge/Response, and still requires a TPM which desktops don't often have.

I am hoping someone will finish this idea and make it available, especially for desktop users with yubikey.
Unfortunately, I don't have much knowledge on initramfs or dracut to produce something usable myself. I have searched all over, and only find the same abandoned ideas, or directions to using Yubikey for something other than LUKS, or on a Debian based system.

Please help.
Thank you.

Joeviocoe commented Sep 10, 2017

Qubes doesn't just run on Laptops. Think about Desktops. They require USB Keyboards since most modern desktop systems don't have PS/2. And since they require USB Keyboards to enter the LUKS Passphrase, that means the "rd.qubes.hide_all_usb" option in the bootloader will render the whole system inaccessible. So USB security at boot time is not an option, therefore, not a tradeoff with 2FA for LUKS.

2FA means that I don't have to weaken my passphrase so its memorable. And if snooped by some Evil Maid attack methods, they'll need to pull the token from my cold dead hands too. AEM for Qubes only works with USB storage, not Yubikey Challenge/Response, and still requires a TPM which desktops don't often have.

I am hoping someone will finish this idea and make it available, especially for desktop users with yubikey.
Unfortunately, I don't have much knowledge on initramfs or dracut to produce something usable myself. I have searched all over, and only find the same abandoned ideas, or directions to using Yubikey for something other than LUKS, or on a Debian based system.

Please help.
Thank you.
@marmarek

andrewdavidwong added a commit that referenced this issue Sep 29, 2017

@andrewdavidwong
Track #2712
Verified
This commit was signed with a verified signature.
@andrewdavidwong andrewdavidwong Andrew David Wong
GPG key ID: 8CE137352A019A17 Learn about signing commits
c3aedce
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment