I’m running a my GNU/Linux laptop with full disk encryption. What I’d like to do is:
A. Startup without Nitrokey
Start laptop
Enter FDE password
Desktop shell autologin (GNOME setting)
Plug in Nitrokey
Nitrokey functionality is available (for email etc)
B. Startup with Nitrokey
Plug in Nitrokey
Start laptop
No need to enter FDE password
Desktop shell autologin (GNOME setting)
Nitrokey functionality is available (for email etc)
From what I’ve read, scenario A is supported by Nitrokey, since it amounts to “plug in Nitrokey once you have logged into your desktop shell”. But what about scenario B? Can a Nitrokey be used to launch a full-disk encryption desktop from power up, without having to enter a password?
it depends on quite some things. But I will mainly talk about a solution which should work.
What is full disk encryption for you? If you mean what Ubuntu is doing (leaving the boot-partition unencrypted, using dm-crypt) then you can do what is described here. This instructions are old old old, but the main idea is valid.
Please note, that I did not test the instructions yet. The main point is to encrypt a keyfile with GnuPG and this keyfile is used to decrypt the disk. The procedure needs to start at least the kernel. Therefore the boot partition have to be unencrypted. As soon grub can support USB tokens like Nitrokey it will be possible to use the keys to decrypt a “full-full” disk encryption. I do not see that coming soon though.
Fair enough. On reflection my original goal was “support an additional one-factor authentication method”, specifically “that allows me to switch on my machine and go make some coffee”, rather than “switch to two-factor authentication”. Probably not part of the Nitrokey security story.
So in summary, Nitrokey could support two-factor authentication (token + pin) for:
unencrypted boot, encrypted data - but this requires some configuration
encrypted boot, encrypted data - but this requires new features in GRUB
Hi, just jumping on this here from a different side: I would see it as a big benefit to use Nitrokey as a KEY. Means to plug it into my computer and do not need to enter any other security. Like a classical lock and key. Of course, if somebody steel my NK, he/she has stolen the keys.
So do you not see a way to configure NK to use a Pin or not ?
every key operation is released if and only if a PIN was given. This is a basic principle of OpenPGP Card and can not be circumvented (which is good! ).
It is may possible for example to detect the insertion of a key, but this would be a function of the system and wouldn’t have to do anything with Nitrokey specific hardware (as far as I can see). You could do such thing with a simple pendrive as well (based on the unique identifiers such devices have, but which will turn out to be not so unique in the end ). I do not know such program yet, but I am quite sure that such things are implemented somewhere. I am thinking on USBGuard as an example with a different goal. It is doing such detection for black-/whitelisting USB devices, but not for login purposes…
I do not think that Nitrokey would try to implement such thing. It is difficult to handle and maintain and it does not seem like a very good idea on a security perspective if you are asking me.
A computer login with Nitrokey + PIN on the other hand is a very fine thing I am doing with my private Linux machine. You do not need to expose your (system) password in public and have a security gain.
Hi, thanks for the answer and explanation. I was busy with other tasks. To be honest: I think Apple will continue a development with either their Fingerprint or FaceID that will provide this "easy login"
And who is using a different computer brand nowadays
( And mine is just broken - so I try to survive the rest of the year with an iPad, that anyhow has no USB Slot )