Two factor authentication with Yubikey for harddisk encryption with LUKS

Want to support HowtoForge? Become a subscriber!
 
Submitted by cornelinux (Contact Author) (Forums) on Sat, 2014-07-19 10:53. :: Linux | Ubuntu | Desktop | Security

Two factor authentication with Yubikey for harddisk encryption with LUKS

Click to enlarge

by Yubico

The yubikey is a cool device that is around for a while and several of us know it and love it. It is a device that is recognizes as a USB HID device and can emit one time passwords on a button press.

Quite for a while the yubikey supports a challenge response mode, where the computer can send a challenge to the yubikey and the yubikey will answer with a response, that is calculated using HMAC-SHA1.

In this howto I will show, how you can use the yubikey to protect your encrypted harddisk and thus addind two factor authentication to your pre boot authentication.

The user enters a password, this password is transmitted to the yubikey as a challenge and the response is sent back. A LUKS key slot holds the response, so that in terms of LUKS the response acts as the slot passphrase.

Getting it all togeather

This solution is based on my github project yubikey-luks. You can either fetch this project in source or you can use the repository at launchpad where I uploaded a ready made package for Ubuntu 14.04LTS. This solution works fine with Ubuntu 14.04, but it can also run on other debian-like distributions. I assume that you are running Ubuntu 14.04.

Add the repository to your system:

add-apt-repository ppa:privacyidea/privacyidea

Rrefresh package information and install the tool:

apt-get update
apt-get install yubikey-luks

Enroll Yubikey

Insert your yubikey and run the command:

ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible

The Yubikey has two slots. We use slot 2 so that you can use the slot 1 for "normal" OTP usage.

Add to LUKS

To assign the yubikey to your LUKS slot, use the command yubikey-luks-enroll. The script at /usr/bin/yubikey-luks-enroll assumes, that your LUKS partition is /dev/sda5. If it is another one, please copy the script to your homedirectory and adapt the line:

DISK="/dev/sda5"

The Yubikey response will be written to LUKS slot 7. Be sure to have a normal password availbale at some other slot. You can check this with:

cryptsetup luksDump

Insert the yubikey and run the yubikey-luks-enroll script. The script asks for a new password, which is the password, that is now sent to the yubikey to generate the repsone and which you will use at boot time.

Done.

Going live!


The boot screen welcomes you with the hint, to insert the yubikey. You can as well use old passphrases...


Data is retrieved from the Yubikey.


Success!

Conclusion

The bootup hooks were modified so that you can either login with a usual password or with the Yubikey plus a new password - thus increasing security in untrusted environments.

The two factor authenticaton management system privacyIDEA provides means to manage several yubikeys and assign those Yubikeys to different client machiens. Stay tuned!


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Mon, 2014-11-24 19:27.
Any thoughts on a real two-factor LUKS mechanism with the Yubikey? i.e., you have to enter a password AND use the yubikey to authenticate?
Submitted by Anonymous (not registered) on Fri, 2014-07-25 13:51.
very usefull
Submitted by sintrix (not registered) on Tue, 2014-07-22 19:15.

Noob here plz help.

ubuntu 14.04 - standard encrypted lvm drive

root@ragnarok:~# yubikey-luks-enroll
Killing LUKS slot 7
Key 7 not active. Can't wipe.

root@ragnarok:~# cryptsetup luksDump /dev/sda5

Key Slot 0: ENABLED

Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

root@ragnarok:~# cryptsetup -v luksOpen /dev/sda5 7
Enter passphrase for /dev/sda5:
Key slot 0 unlocked.
Cannot use device /dev/sda5 which is in use (already mapped or mounted).
Command failed with code 16: Cannot use device /dev/sda5 which is in use (already mapped or mounted).

root@ragnarok:~# vi yubikey-luks-enroll (edited SLOT=0) :wq

root@ragnarok:~# yubikey-luks-enroll
Killing LUKS slot 0

WARNING!
========
This is the last keyslot. Device will become unusable after purging this key.

Are you sure? (Type uppercase yes): YES
Enter any remaining passphrase:
Adding yubikey to initrd
Please insert a yubikey and enter a new password:again:Cannot add key slot, all slots disabled and no volume key provided.

Submitted by sintrix (not registered) on Wed, 2014-07-23 04:04.

-Installation-

When encrypting your drive from install pick a very secure and complex passphrase!

Note: if you are not familiar with this topic, stop now and backup your data. Partitions can change from machine to machine along with slots. You can easily nuke or lock yourself out of your machine forever.

---From CLI---

Gain root:

sudo su -

Prepare YubiKey (make sure you plug it into your usb):

apt-get install yubikey-personalization ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible

Install PrivacyIdea yubikey package:

add-apt-repository ppa:privacyidea/privacyidea apt-get install yubikey-luks

Verify where your encrypted drive is (mine is /dev/sda5): Luks Dump the device and verify slot 7 is disabled:

cryptsetup -v luksDump /dev/sda5

To clear slot use:

cryptsetup luksKillSlot /dev/sda5 7

Create temporary random key for slot:

dd if=/dev/sda5 of=luks-secret.key bs=1 count=4096

Assign key to slot 7:

cryptsetup luksAddKey /dev/sda5 luks-secret.key --key-slot 7

Enroll your YubiKey; note: -d = device, -s = slot:

yubikey-luks-enroll -d /dev/sda5 -s 7

It will ask you for password (use the original passphrase you used to encrypt the disk) It will ask you for a new password. It will ask you to enter it a second time. It will ask you for a new passphrase.

Shred your temporary key file:

shred --remove --zero luks-secret.key

Reboot:

reboot

When logging in you can type your really crazy long passphrase without the yubi key and gain entry. If you are in hostile place simply plugin your yubikey and enter your new password. It will only authenticate if the yubikey is plugged directly into your laptop. When you leave your laptop take your yubikey with you to prevent any shoulder surfers from gaining access even if they have your new pass.

Hope this helps noobs like me.

Submitted by cornelinux (registered user) on Tue, 2014-07-22 23:02.

Never delete the last keyslot, unless you wish to make your disk unsable.

Deleting the last keyslot is only used, if you want to dump the harddisk with unaccessable data. If you deleted the last key slot, you should make a backup as long as the system is running.

Keep a keyslot (preferable keyslot 0) with a default passphrase. Use other keyslots to work with yubikey and password.