Re: [qubes-users] Custom initramfs
On Monday, 18 September 2017 23:32:53 UTC-4, cooloutac wrote: > On Sunday, September 10, 2017 at 6:02:24 PM UTC-4, joev...@gmail.com wrote: > > On Monday, 29 August 2016 01:34:11 UTC-4, Raphael Susewind wrote: > > > > while initially I thought it would be interesting to try, the only > > > > situation when yubikey could actually improve security is having to > > > > boot a Qubes PC under unavoidable surveilance. > > > > > > came to the same conclusion - probably not worth the security > > > tradeoff... Perhaps one can implement a 2FA solution for FDE using > > > something like paperkey? It would still be the 'someone peeks over my > > > shoulder in a cafe' kind of scenario, but without the USB compromise > > > > It is not just 'unavoidable surveillance'. > > Qubes doesn't just run on Laptops. Think about Desktops. They require USB > > Keyboards since most modern desktop systems don't have PS/2. And since they > > require USB Keyboards to enter the LUKS Passphrase, that means the > > "rd.qubes.hide_all_usb" option in the bootloader will render the whole > > system inaccessible. So USB security at boot time is not an option, > > therefore, not a tradeoff with 2FA. > > > > It isn't for the "lazy" people either. 2FA means that I don't have to > > weaken my passphrase so its memorable. And if snooped by some Evil Maid > > attack methods, they'll need to pull the token from my cold dead hands too. > > > > I am hoping someone will finish this idea and make it available, especially > > for desktop users with yubikey. > > Unfortunately, I don't have much knowledge on initramfs or dracut to > > produce something usable myself. I have searched all over, and only find > > the same abandoned ideas, or directions to using Yubikey for something > > other than LUKS, or on a Debian based system. > > > > Please help. > > Thank you. > > almost all motherboards still come with ps/2. only budget gaming ones don't. > but even most gaming ones do. Fair point. I was thinking more in my price range. Dell XPS 8900. My solution so far is to use YKLUKS from here: https://github.com/the2nd/ykluks It does include a grub2 "rd.ykluks.hide_all_usb" feature to only temporarily turn on USBs during the https://groups.google.com/forum/#!msg/qubes-users/hB0XaquzBAg/aPQmmLBwBgAJ "Besides the yubikey/luks stuff the module handles the rd.qubes.hide_all_usb stuff via its own rd.ykluks.hide_all_usb command line parameter because the yubikey is connected via USB and needs to be accessable until we got the challenge from it. i am still unsure if this is the best method to implement this. So if anyone with a deeper knowledge of qubes/dracut does have a better/more secure solution i happy about any help." It works. I think its the best I can do since I am more concerned with 2FA than bad USB devices. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/58fe4e5d-508d-4613-a926-79a0e5571c30%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Custom initramfs
On Monday, 29 August 2016 01:34:11 UTC-4, Raphael Susewind wrote: > > while initially I thought it would be interesting to try, the only > > situation when yubikey could actually improve security is having to boot a > > Qubes PC under unavoidable surveilance. > > came to the same conclusion - probably not worth the security > tradeoff... Perhaps one can implement a 2FA solution for FDE using > something like paperkey? It would still be the 'someone peeks over my > shoulder in a cafe' kind of scenario, but without the USB compromise It is not just 'unavoidable surveillance'. Qubes doesn't just run on Laptops. Think about Desktops. They require USB Keyboards since most modern desktop systems don't have PS/2. And since they require USB Keyboards to enter the LUKS Passphrase, that means the "rd.qubes.hide_all_usb" option in the bootloader will render the whole system inaccessible. So USB security at boot time is not an option, therefore, not a tradeoff with 2FA. It isn't for the "lazy" people either. 2FA means that I don't have to weaken my passphrase so its memorable. And if snooped by some Evil Maid attack methods, they'll need to pull the token from my cold dead hands too. I am hoping someone will finish this idea and make it available, especially for desktop users with yubikey. Unfortunately, I don't have much knowledge on initramfs or dracut to produce something usable myself. I have searched all over, and only find the same abandoned ideas, or directions to using Yubikey for something other than LUKS, or on a Debian based system. Please help. Thank you. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/322e0c18-8d97-49b8-a96e-911bc029e510%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Custom initramfs
> while initially I thought it would be interesting to try, the only situation > when yubikey could actually improve security is having to boot a Qubes PC > under unavoidable surveilance. came to the same conclusion - probably not worth the security tradeoff... Perhaps one can implement a 2FA solution for FDE using something like paperkey? It would still be the 'someone peeks over my shoulder in a cafe' kind of scenario, but without the USB compromise -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a62b822e-04b8-04b6-42e0-93c4928fb0b6%40raphael-susewind.de. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Custom initramfs
after giving it a thought I decided keep usb devices out of dom0. the solution for debian is real 2FA but ykfde is for lazy people. I gave it as an example of dracut hooks. theoretically you can rearrange hooks so that yubikey authentification happens before rd.qubes.hide_all_usb is processed but there is a risk that qubes hooks might fail and leave usb controllers in dom0. if you already have a controller in dom0 then perhaps it wouldn't make security worse. while initially I thought it would be interesting to try, the only situation when yubikey could actually improve security is having to boot a Qubes PC under unavoidable surveilance. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20ae7d75-db1c-42eb-be2a-b66c8644dd5a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Custom initramfs
> this is an interesting idea. initramfs is generated by dracut. read this > https://github.com/nj0y/ykfde/blob/master/README-dracut.md Yes, I gave ykfde a try. Problem is that Qubes still shows its custom FDE password screen on startup, and never the ykfde second factor one... (possibly - but just a hunch - because the only way to get rid of the Qubes dialog is unlocking the drive, following which ykfde is unnecessary). Let me know if you get it to work - I gave up for now (dont want to mess up my dracut setup too much given my lack of experience) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8ced0237-0888-6750-8710-3d430c7d5a7b%40raphael-susewind.de. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Custom initramfs
this is an interesting idea. initramfs is generated by dracut. read this https://github.com/nj0y/ykfde/blob/master/README-dracut.md -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/67468a7d-dc9d-4fa3-9dc7-8e8871f6221a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Custom initramfs
Dear all, how can I create a custom initramfs for dom0, using the current one as template? I was hoping for something like initramfs-tools in Debian... The aim is to include yubikey-luks in the FDE unlocking: https://github.com/cornelinux/yubikey-luks There might be other usecases, too - perhaps make a FAQ entry on this? Thanks, Raphael -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e1e934ad-2ba1-6964-3569-5421ce45f547%40raphael-susewind.de. For more options, visit https://groups.google.com/d/optout.
