Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Confusion about using USB Security Dongles to decrypt hard drive #86

Open
copyvar opened this issue Jan 12, 2022 · 1 comment
Open

Confusion about using USB Security Dongles to decrypt hard drive #86

copyvar opened this issue Jan 12, 2022 · 1 comment

Comments

@copyvar
Copy link

copyvar commented Jan 12, 2022

As far as I understand, you can use your - for example Nitrokey Pro - to "avoid" typing in the Disk Recovery Key. The Disk Recovery Key is the key used at OS installation for the encrypted root partition (passphrase placed in LUKS keyslot 0). So I can use this key whenever I connect my harddrive to another computer.

For me, it would be logical, if I use my GPG key on my Nitrokey to do some magic to decrypt my harddrive (or decrypt some parts on the TPM which then decrypts my harddrive). It would make sense, if I would need to type in my Nitrokey User PIN to decrypt my harddrive.

Instead I am asked for another password in Heads when I try to set up this. This confuses me.

I read https://osresearch.net/Keys/

(Added for newcomers: The Nitrokey User PIN is - obviously - relatively easy to guess, if brute force methods are available. But the USB Security dongles are actually locking the user out of their User role if 3 bad attempts were made, so it is safe, to use the PIN to unlock/decrypt my harddrive.)

@tlaurion
Copy link
Collaborator

tlaurion commented Jan 12, 2022

@copyvar A lot of back and forth have happened in the goal of improving the wiki in the past on that subject, where your question seems answered in that part (should be merged but was closed by author)
https://github.com/osresearch/heads-wiki/pull/76/files#diff-29017719792bd9c9938af6836790ea250cbe08877b37721fb0b2ddd7e7216f56R63-R121

LUKS Disk Recovery Key passphrase is the the one chosen at install: correct. Can be used to decrypt disk on another computer: correct.

The Disk Unlock Key, aka TPM disk encryption passphrase, is local and stored in the TPM, which releases the Key when system is in the right state and was documented under https://github.com/osresearch/heads-wiki/pull/76/files#diff-29017719792bd9c9938af6836790ea250cbe08877b37721fb0b2ddd7e7216f56R63-R121

Unlocking the Disk encrypted container with GPG PINs is possible and was documented there, and requires the booted OS to be modified accordingly. Purism is doing so with their OS and documentation is given on their website, pointed from the section in wiki PR above.

Not sure why that PR was closed. Maybe the discussion should continue there so that that PR is modified and merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants