On Mon, 10 Jan 2011 13:45:29 +0000 Darac Marjal <mailingl...@darac.org.uk> wrote:
> On Sun, Jan 09, 2011 at 09:42:03PM -0800, Dan Serban wrote: > > So, I'm currently switching my 9 workstations around the house to > > diskless boot. They mount nfs shares that reside on top of an > > encrypted raid server. This is all fine and good. > > > > What I'd like to do: > > > > On a specific workstation, on boot, i'd like to require that a > > specific usb memory stick be inserted in the system. ie. one that > > contains a key which will allow the boot process to continue. > > > > Can this be done? If so, what should I use to make it less than > > easy to decipher? > > > > Maybe a GPG encoded text file that matches against a plain text one? > > (that's insecure)... > > > > I don't know. Do any of you have any suggestions? > > If the requirement can be relaxed to be some other sort of USB device, > you could look at something like this: > http://www.etokenonlinux.org/et/HowTos/eToken_and_LUKS > > The eToken is basically a smartcard that plugs into USB. I still don't really understand the difference apart from it containing a key that I match against. Which is in essence what I was asking to do with a USB block device which looks much cheaper than the eToken. > > If it has to be a USB Mass Storage device, try this: > http://binblog.info/2008/12/04/using-a-usb-key-for-the-luks-passphrase/ > This I've already done with my server, the usb key is inserted into the server to allow it to boot (with the key), what I was asking was for a method to halt a diskless boot (or one with a disk) if a specific USB key wasn't available. So my thoughts went to Vendor ID, serial number, and also a key to compare against on the root filesystem. My case is different in the sense that I'm not decrypting my block volumes, just halting a boot sequence. > Remember, Google is your friend. > My google-fu is weak. All I run into is stuff like you've suggested so far, and how to install debian via a USB key. Nothing like what I want. > > > > > > -- > > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact > > listmas...@lists.debian.org Archive: > > http://lists.debian.org/20110109214203.09dce...@ws82.int.tlc > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110110173629.7c54a...@ws82.int.tlc
