A pondering about Encrypting the Keycard for a LUKS/LVM partition.
So I was wondering about the dilemma of how to encrypt the password file on a key card to unlock your harddrive without having to enter any password. I came to the conclusion that that the scripts could do this without storing any passwords in plane text them self.
Have a few extra steps to the scripts that would:
1. Read the UUID of any disks coming in.
2. Attempt to use that ID to decrypt a password file stored in the initrd.
3. Use the decrypted password file to unlock the the keycard partition.
4. THEN use the password files on the keycard to decrypt the main partition and boot the system.
However, if somebody stole your key card and didn't know what the unencrypted information was, then it's harmless for them to have it anyway. And if they did know, you wouldn't be any better off with it being encrypted because they probably can gain access to your computer anyway; leaving them to just pop the key card in and automatically decrypt the drive.
I suppose encrypting the keycard would give you extra assurance that the information would be much harder to recover if you destroyed the key card in a hurry.
So would this extra security step even be worth it?
I guess the most secure thing would be to only have a password and type it in every time... unless you are concerned about the aliens/government stealing that from your brain which would probably mean they wouldn't need your password anyway.
Last edited by lumak; 08-15-2010 at 01:53 PM.
|