-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi all,
I wrote a module for dracut to allow 2FA on LUKS. Currently it's a beta version. AFAIK a native solution for dracut already exists, however it isn't compatible with systemd and the latter is enabled by default. Furthermore it uses GPG, but because there is already the LUKS support I prefer to use the latter. Furthermore I find more useful a completely encrypted volume.
> How it works?
A target LUKS volume will be decrypted and attached iff the user provides a password for another LUKS volume on which there is a key for the first volume. So the user provides "something that possesses" (e.g. an SD card) and "something that knows" (i.e. the password to unlock the SD card). In this way to unlock the LUKS volume an attacker (excluding EM attack) needs a copy of the volume and its password. I think that it's very useful to unlock the root volume in this way.
Currently this relation is specified with a kernel cmdline parameter: rd.luks.2fa=UUID=keyfile_UUID:keyfile_path:UUID=target_UUID[:timeout]. This parameter is translated by a systemd-generator to a systemd.service.
> Why?
I wrote this module because it's very common to have a single USB controller that doesn't support any form of reset. For this reason I prefer to have that controller permanently attached to a USBVM, so completely hidden from dom0. Obviously it requires some other way (e.g. SD card reader) to read another LUKS volume. From what I saw it's very common to have a separate SD card reader that supports reset. So after the boot the SD card reader could be attached to another qube (strongly reccomended). In this way future SD cards aren't attached to dom0.
What do you think? How could it be improved?
Best Regards,
Raffaele.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXw2ov1HEFPFo+AVy07vJZYtrAOMFAltsBXgACgkQ07vJZYtr
AOMeyA//RO4xEV9HaaMayRkubpSHraWjy08rmAyUakMt2sbmDvNOCYmShIMk9iMs
kP6rHvq2mqEZaHdPGFlZpV5VK0mfKf39X2Z54M/A1LrmLlRWb3GDab18aEzzmscw
+/uEIH0naqYNQSnB1Gl+YflmLAGascdYdBYdHpeF0PGGjxMeY5GbPSRE7cdGH5bv
WejPKaBvBGGuHi9vmK6xFK/R+qI/lkA/mfIy4V/XTaKvLRw4yJ/sRaBbLKKwMSGd
2cjUaeR5xU5hmzWifkzZMC8UlOZKlfJZByYq5YGMK4HyOdQbxjB7X+oXnQ8lZuxu
AGMLVOahyJIyRD1ZW2qsPpN/RmKwpccdKsMMgyIoip/wSlvXEHeRgzdWb7Oi32SM
99295Z/yECcKK/L7NqNxUkZKcN3khlCPSdD3Q7ZnMhHibnCXXjvJF3OFCg/ABSCg
2F6+zNASoJ8H+wk6ft0XyyM+u4owX+YJiStc0q9Zc8L4J+FP5OH9FWlEb9qtPk1f
EH9asjn/2aJoyJeCF/cXu+jD9VLQFjiMSvfkXRRxSRsD3mgZEnShDG6ecjog3lLF
hsL3wxVyJkrqCUbIZUhwYhhldLpqmel03LtS7U336Ya9Cy/3zkiit5WRYYCdZdQ5
N+AkgFu4e7DtUr2IkeVDeNUjHJ+1lqA5eXjBMR5eGPQI5cKsbug=
=DKV4
-----END PGP SIGNATURE-----