Arch Linux

NoMoreBullshit

Member

Registered: 2015-05-07

Posts: 9

[SOLVED] Full disk encryption, luks - How to add yubikey?

HDD is encrypted with password.
I need to add to luks yubikey. So I installed ykfde:
Full disk encryption with Yubikey (Yubico key) for mkinitcpio

I don`t undestand what I must write to /etc/ykfde.conf
device name = crypt

Crypt name: /dev/sdXY, /dev/mapper/ or something else?

ykfde gives error:
Device [name] failed to initialize.

File system - btrfs.

Last edited by NoMoreBullshit (2015-05-12 15:14:19)

nstgc

Member

Registered: 2014-03-17

Posts: 393

Re: [SOLVED] Full disk encryption, luks - How to add yubikey?

I can't offer any advice on how to go about doing that, however, have you considered, as an alternative, using a passfile in place of a password? I have a 100MB file on a USB created with "$ dd if=/dev/random of=keyfile bs=1M count=100". That is more secure than any password, and much easier to set up I'm sure.

[edit] https://bbs.archlinux.org/viewtopic.php?id=192858

Last edited by nstgc (2015-05-08 00:45:48)

NoMoreBullshit

Member

Registered: 2015-05-07

Posts: 9

Re: [SOLVED] Full disk encryption, luks - How to add yubikey?

Thank you for reply.
It is good possibility to use USB flash, but I prefer yubikey. It is personal choice, but:
I have yubikey already,
USB flash must be dedicated only for unlocking HDD. For daily use I or someone else can delete / overwrite file or format flash

eworm

Package Maintainer (PM)

From: Oberhausen, Germany

Registered: 2010-01-30

Posts: 107

Website

Re: [SOLVED] Full disk encryption, luks - How to add yubikey?

You have to give the name you use for the LUKS device mapping. Try this:

# dmsetup ls --target crypt
cvg     (254, 3)

In this case you would have to change the line in /etc/ykfde.conf to:

device name = cvg

And the line in /etc/crypttab.initramfs sould read:

cvg /dev/sdXY -

---

ArchLinux - make it simple & lightweight

NoMoreBullshit

Member

Registered: 2015-05-07

Posts: 9

Re: [SOLVED] Full disk encryption, luks - How to add yubikey?

Ok, some progress. Finally I have new file in ENCRYPTED /etc/ykfde.d/challen..... and enabled slot in luks.
No changes to /boot partition.
Added ykfde hook , rebuilded initramfs, rebooted and ..... entered pass from different slot.
Not opening luks device, like there is no yubikey in USB.
In Ubuntu executes this command:
yubikey-luks-enroll

It is enought to rebuild initramfs or something missing?

Last edited by NoMoreBullshit (2015-05-10 06:29:00)

eworm

Package Maintainer (PM)

From: Oberhausen, Germany

Registered: 2010-01-30

Posts: 107

Website

Re: [SOLVED] Full disk encryption, luks - How to add yubikey?

Your initramfs uses systemd (hooks systemd and sd-encrypt)? Make sure it does!

Then make sure you have the required files in initramfs. The output should look similar:

lsinitcpio -l /boot/initramfs-linux.img | grep ykfde
./usr/lib/udev/ykfde
./usr/lib/udev/rules.d/20-ykfde.rules
./etc/ykfde.d
./etc/ykfde.d/challenge-1234567
./etc/ykfde.conf

---

ArchLinux - make it simple & lightweight

NoMoreBullshit

Member

Registered: 2015-05-07

Posts: 9

Re: [SOLVED] Full disk encryption, luks - How to add yubikey?

It`s working! Thank eworm

And other who don`t want more head pain please read about alternative mkinitcpio configuration file and  custom image. Make custom image, add to booloader new entry and if somethings goes wrong you can boot previous image

Last edited by NoMoreBullshit (2015-05-13 06:17:38)

NoMoreBullshit

Member

Registered: 2015-05-07

Posts: 9

Re: [SOLVED] Full disk encryption, luks - How to add yubikey?

I forgot to say if not working try to change the sequence of hooks. My working sequence:

HOOKS="base udev autodetect systemd keyboard sd-encrypt modconf ykfde block btrfs encrypt filesystems"

NoMoreBullshit

Member

Registered: 2015-05-07

Posts: 9

Re: [SOLVED] Full disk encryption, luks - How to add yubikey?

What syntax in this file for enabling second factor?

Make sure to enable second factor in /etc/ykfde.conf

Please add some additional info to the file /etc/ykfde.conf Now only are about luks slot, yubikey slot, and LUKS device. But about second factor syntax instruction absent.

I have tried

second factor = true

but not succesfully