Re: USB key requirement.
On Mon, 10 Jan 2011 13:45:29 +0000
Darac Marjal <mailinglist@darac.org.uk> wrote:
> On Sun, Jan 09, 2011 at 09:42:03PM -0800, Dan Serban wrote:
> > So, I'm currently switching my 9 workstations around the house to
> > diskless boot. They mount nfs shares that reside on top of an
> > encrypted raid server. This is all fine and good.
> >
> > What I'd like to do:
> >
> > On a specific workstation, on boot, i'd like to require that a
> > specific usb memory stick be inserted in the system. ie. one that
> > contains a key which will allow the boot process to continue.
> >
> > Can this be done? If so, what should I use to make it less than
> > easy to decipher?
> >
> > Maybe a GPG encoded text file that matches against a plain text one?
> > (that's insecure)...
> >
> > I don't know. Do any of you have any suggestions?
>
> If the requirement can be relaxed to be some other sort of USB device,
> you could look at something like this:
> http://www.etokenonlinux.org/et/HowTos/eToken_and_LUKS
>
> The eToken is basically a smartcard that plugs into USB.
I still don't really understand the difference apart from it containing
a key that I match against. Which is in essence what I was asking to
do with a USB block device which looks much cheaper than the eToken.
>
> If it has to be a USB Mass Storage device, try this:
> http://binblog.info/2008/12/04/using-a-usb-key-for-the-luks-passphrase/
>
This I've already done with my server, the usb key is inserted into the
server to allow it to boot (with the key), what I was asking was for a
method to halt a diskless boot (or one with a disk) if a specific USB
key wasn't available. So my thoughts went to Vendor ID, serial number,
and also a key to compare against on the root filesystem.
My case is different in the sense that I'm not decrypting my block
volumes, just halting a boot sequence.
> Remember, Google is your friend.
>
My google-fu is weak. All I run into is stuff like you've suggested so
far, and how to install debian via a USB key. Nothing like what I want.
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org Archive:
> > [🔎] 20110109214203.09dced39@ws82.int.tlc">http://lists.debian.org/[🔎] 20110109214203.09dced39@ws82.int.tlc
> >
Reply to: