Yubikey and LUKS on testing (Buster)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Yubikey and LUKS on testing (Buster)

Georgios-2
Hi! :)
Im trying to use yubikey with disk encryption.

Im running Buster and my partitions are

$ lsblk
NAME                    MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
nvme0n1                 259:0    0 238.5G  0 disk  
├─nvme0n1p1             259:1    0   512M  0 part  /boot/efi
├─nvme0n1p2             259:2    0   244M  0 part  /boot
└─nvme0n1p3             259:3    0 237.8G  0 part  
  └─nvme0n1p3_crypt     254:0    0 237.8G  0 crypt
    ├─Laptop--vg-root   254:1    0   230G  0 lvm   /
    └─Laptop--vg-swap_1 254:2    0   7.7G  0 lvm   [SWAP]


I insert yubikey with an empty slot on 2 and i execute the following commands

$ sudo ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible

then

$ sudo yubikey-luks-enroll -d /dev/nvme0n1p3 -s 7

Then i reboot my computer and when it asks for a password to unlock my disk encryption I insert my yubikey.
It doesn't accept the password that i programmed to use with yubikey.

Instead it accepts the password i use without the yubikey! The prompt to enter my password doesn't mention yubikey.

Any ideas?

Thanks in advance for your help!

PS.I have 2 yubikeys. I'm having the same problem with both of them.

Reply | Threaded
Open this post in threaded view
|

Re: Yubikey and LUKS on testing (Buster)

Roberto C. Sánchez-2
On Wed, Feb 20, 2019 at 12:15:57PM +0200, [hidden email] wrote:
>
> Then i reboot my computer and when it asks for a password to unlock my disk encryption I insert my yubikey.
> It doesn't accept the password that i programmed to use with yubikey.
>
> Instead it accepts the password i use without the yubikey! The prompt to enter my password doesn't mention yubikey.
>
> Any ideas?
>
I do not know specifically about using a YubiKey with LUKS in the way
that you describe.  However, I have had good results using the static
password (3-5 second press) like I would a normal password entered from
the keyboard.

As far as it accepting the non-yubikey password, remember that a LUKS
container has multiple key slots (8 or 24, I do not recall precisely at
the moment).  Accessing a LUKS container only requires that a single key
be unlocked, so any available password is sufficient to gain access.
Once you have the yubikey-based password working, you will need to
remove the other key slot if you no longer want that password to unlock
the container.

Regards,

-Roberto

--
Roberto C. Sánchez

Reply | Threaded
Open this post in threaded view
|

Re: Yubikey and LUKS on testing (Buster)

Georgios Pediaditis

> As far as it accepting the non-yubikey password, remember that a LUKS
> container has multiple key slots (8 or 24, I do not recall precisely at
> the moment).  Accessing a LUKS container only requires that a single key
> be unlocked, so any available password is sufficient to gain access.
> Once you have the yubikey-based password working, you will need to
> remove the other key slot if you no longer want that password to unlock
> the container.

Thanks for your reply.

I know that it has multiple slots. For the time being that's the only reason i can open my laptop :-p

It must be challenge response and not static password since i already use the yubikey slot 1 and i need to use yubikey slot 2 with challenge response on other services.

Thanks again for your help

Reply | Threaded
Open this post in threaded view
|

Re: Yubikey and LUKS on testing (Buster)

Curt
On 2019-02-20, Georgios Pediaditis <[hidden email]> wrote:

>
>> As far as it accepting the non-yubikey password, remember that a LUKS
>> container has multiple key slots (8 or 24, I do not recall precisely at
>> the moment).  Accessing a LUKS container only requires that a single key
>> be unlocked, so any available password is sufficient to gain access.
>> Once you have the yubikey-based password working, you will need to
>> remove the other key slot if you no longer want that password to unlock
>> the container.
>
> Thanks for your reply.
>
> I know that it has multiple slots. For the time being that's the only
> reason i can open my laptop :-p
>
> It must be challenge response and not static password since i already
> use the yubikey slot 1 and i need to use yubikey slot 2 with challenge
> response on other services.
>
> Thanks again for your help
>
>

As you omitted the part about appending
'keyscript=/usr/share/yubikey-luks/ykluks-keyscript' to your
/etc/crypttab file and subsequently running 'update-initramfs -u' in
your description of your procedure, I'm wondering whether you
inadvertently skipped that step.

https://github.com/cornelinux/yubikey-luks


Reply | Threaded
Open this post in threaded view
|

Re: Yubikey and LUKS on testing (Buster)

Georgios-2
Thanks for the reply! You are right! I was looking to older instructions that didnt include that info!

>
> As you omitted the part about appending
> 'keyscript=/usr/share/yubikey-luks/ykluks-keyscript' to your
> /etc/crypttab file and subsequently running 'update-initramfs -u' in
> your description of your procedure, I'm wondering whether you
> inadvertently skipped that step.
>
> https://github.com/cornelinux/yubikey-luks
>
>