On Monday, 18 September 2017 23:32:53 UTC-4, cooloutac wrote: > On Sunday, September 10, 2017 at 6:02:24 PM UTC-4, joev...@gmail.com wrote: > > On Monday, 29 August 2016 01:34:11 UTC-4, Raphael Susewind wrote: > > > > while initially I thought it would be interesting to try, the only > > > > situation when yubikey could actually improve security is having to > > > > boot a Qubes PC under unavoidable surveilance. > > > > > > came to the same conclusion - probably not worth the security > > > tradeoff... Perhaps one can implement a 2FA solution for FDE using > > > something like paperkey? It would still be the 'someone peeks over my > > > shoulder in a cafe' kind of scenario, but without the USB compromise > > > > It is not just 'unavoidable surveillance'. > > Qubes doesn't just run on Laptops. Think about Desktops. They require USB > > Keyboards since most modern desktop systems don't have PS/2. And since they > > require USB Keyboards to enter the LUKS Passphrase, that means the > > "rd.qubes.hide_all_usb" option in the bootloader will render the whole > > system inaccessible. So USB security at boot time is not an option, > > therefore, not a tradeoff with 2FA. > > > > It isn't for the "lazy" people either. 2FA means that I don't have to > > weaken my passphrase so its memorable. And if snooped by some Evil Maid > > attack methods, they'll need to pull the token from my cold dead hands too. > > > > I am hoping someone will finish this idea and make it available, especially > > for desktop users with yubikey. > > Unfortunately, I don't have much knowledge on initramfs or dracut to > > produce something usable myself. I have searched all over, and only find > > the same abandoned ideas, or directions to using Yubikey for something > > other than LUKS, or on a Debian based system. > > > > Please help. > > Thank you. > > almost all motherboards still come with ps/2. only budget gaming ones don't. > but even most gaming ones do.
Fair point. I was thinking more in my price range. Dell XPS 8900. My solution so far is to use YKLUKS from here: https://github.com/the2nd/ykluks It does include a grub2 "rd.ykluks.hide_all_usb" feature to only temporarily turn on USBs during the https://groups.google.com/forum/#!msg/qubes-users/hB0XaquzBAg/aPQmmLBwBgAJ "Besides the yubikey/luks stuff the module handles the rd.qubes.hide_all_usb stuff via its own rd.ykluks.hide_all_usb command line parameter because the yubikey is connected via USB and needs to be accessable until we got the challenge from it. i am still unsure if this is the best method to implement this. So if anyone with a deeper knowledge of qubes/dracut does have a better/more secure solution i happy about any help." It works. I think its the best I can do since I am more concerned with 2FA than bad USB devices. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/58fe4e5d-508d-4613-a926-79a0e5571c30%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.