therealromster / cryptsetup

Automatically exported from code.google.com/p/cryptsetup
GNU General Public License v2.0
0 stars 0 forks source link

Please add TOTP support #241

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
This is a feature request. Would like to be able to decrypt master keys using 
Google Athenticator / Authy / etc. TOTP does not require network access and is 
tolerant of normal clock skews. TOTP is an open standard, and a reference 
implementation can be found on code.google.com.

Original issue reported on code.google.com by e...@2h0t.com on 24 Dec 2014 at 10:30

GoogleCodeExporter commented 9 years ago
This issue should be categorized as "enhancement" rather than "defect". 
Clearly the more versatile authentication and authorisation methods get, the 
better to achieve a level of security. Adding TOTP is a great feature to head 
for, but clearly it would be very advanced to integrate it into the current 
(and also future) LUKS header specifications. 

I write this to note that the current LUKS features also offer opportunities 
for some sort of two-factor authentication: 
1. You can use the remote header option. If you combine this with using a 
passphrase, you already get two factors: device storing the header - for 
example a  usb-device to store the header (something you have) and passphrase 
(something you know). This combination is the classic two-factor available. 
2. Depending on your initrd/initramfs environment you can use two-factor to 
access a LUKS-key. For example you can gpg-encrypt the keyfile, resulting in 
the input of a passphrase to access it for unlocking the LUKS encrypted device. 

Nonetheless, if somebody would be able to enhance the existing to add TOTP 
support, that would be surely useful and great for users. Just wanted to note 
the status quo does allow for some features like this. 

Original comment by randomic...@gmail.com on 30 Jan 2015 at 6:26