I sit in solitude at a residence where only I can see my monitor while booting my Linux OS's. My passwords are insanely long and while I clearly "know" them, at times I make a mistake keying them to mount a system. Just starting out on this journey. I mount all my systems using /boot on a flash drive unique for each and every system to assure no "cross talk" is possible among my systems. I am wondering if there is a simple modification I could make to grub (or wherever) on the flash that could flip/toogle a switch so key'd characters would be displayed as I type them? I won't store anything on the bootflash that would compromise my security. I want to have a "brick" when my systems are not mounted. Does anyone have a link or some knowledge of whether this is doable without going crazy doing major mods? In my case this would really be a nice feature to enable. Doesn't happen too much but a mis-type on > 30 character password is kind of a pain.
Well, it's cryptsetup that's asking for the password at boot. Looking at man cryptsetup, I don't see anything about displaying the password during entry. But you could take a look. I've wondered myself. I have fat fingers, and sometimes hit CapsLock instead of Shift, a or q. And sometimes, resetting is the only way to be sure that CapsLock isn't on.
That is a good point, I have had trouble with entering passwords in luks too. I think that is well worth a feature request for a display password option.
OK then my journey begins. If I find something, even if its over my head, I'll come back and report. I have at least 500 meg still open on all my /boot usb's (I use special order 1 Gig's for booting) so a small added module (on the USB) to effect this option would be acceptable to me IF I can be convinced there is NO storage of characters, and simply a display during boot. Hopefully the cryptsetup team realizes that some folks could use this feature without a security risk at all. If you are using cryptsetup and LUKS you should be well down the road of needing a "hall monitor" to protect you from making stupid mistakes in security.
I suspect this is going to require a small "module" that would somehow convert the key'd entry into a visable/readable character. If so I have room because of how I mount using usb. I don't know if there is room in a normal MBR and therefore you would have to create a place for it to happen. That room would have to be unencrypted as well just like the MBR. I don't like unencrypted space if I can avoid it. In my method the unencrypted flash space is removed before ever going online. Then my shell script auto runs a checksum to make sure the MBR hasn't even had one digit flipped. Only then do I go online. I suspect the way to study this is to see how other scripts perform "in the background" when a user selects to reveal the keys in plain text. Surely the script/program to do this is very small. Without studying this at all I picture adding a line to grub to call up/run this small script, which is on the usb boot flash, so I can see the characters. Once LUKS mounts the OS the stick is gone. There is no reason in my mind that this would interfere with cryptsetup authenticating the password. Stay tuned.
