Comments on Two factor authentication with Yubikey for harddisk encryption with LUKS
Two factor authentication with Yubikey for harddisk encryption with LUKS The yubikey is a cool device that is around for a while and several of us know it and love it. It is a device that is recognizes as a USB HID device and can emit one time passwords on a button press. Quite for a while the yubikey supports a challenge response mode, where the computer can send a challenge to the yubikey and the yubikey will answer with a response, that is calculated using HMAC-SHA1.
14 Comment(s)
Comments
Noob here plz help.
ubuntu 14.04 - standard encrypted lvm drive
root@ragnarok:~# yubikey-luks-enroll
Killing LUKS slot 7
Key 7 not active. Can't wipe.
root@ragnarok:~# cryptsetup luksDump /dev/sda5
Key Slot 0: ENABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
root@ragnarok:~# cryptsetup -v luksOpen /dev/sda5 7
Enter passphrase for /dev/sda5:
Key slot 0 unlocked.
Cannot use device /dev/sda5 which is in use (already mapped or mounted).
Command failed with code 16: Cannot use device /dev/sda5 which is in use (already mapped or mounted).
root@ragnarok:~# vi yubikey-luks-enroll (edited SLOT=0) :wq
root@ragnarok:~# yubikey-luks-enroll
Killing LUKS slot 0
WARNING!
========
This is the last keyslot. Device will become unusable after purging this key.
Are you sure? (Type uppercase yes): YES
Enter any remaining passphrase:
Adding yubikey to initrd
Please insert a yubikey and enter a new password:again:Cannot add key slot, all slots disabled and no volume key provided.
Never delete the last keyslot, unless you wish to make your disk unsable.
Deleting the last keyslot is only used, if you want to dump the harddisk with unaccessable data. If you deleted the last key slot, you should make a backup as long as the system is running.
Keep a keyslot (preferable keyslot 0) with a default passphrase. Use other keyslots to work with yubikey and password.
-Installation-
When encrypting your drive from install pick a very secure and complex passphrase!
Note: if you are not familiar with this topic, stop now and backup your data. Partitions can change from machine to machine along with slots. You can easily nuke or lock yourself out of your machine forever.
---From CLI---
Gain root:
sudo su -
Prepare YubiKey (make sure you plug it into your usb):
apt-get install yubikey-personalization ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
Install PrivacyIdea yubikey package:
add-apt-repository ppa:privacyidea/privacyidea apt-get install yubikey-luks
Verify where your encrypted drive is (mine is /dev/sda5): Luks Dump the device and verify slot 7 is disabled:
cryptsetup -v luksDump /dev/sda5
To clear slot use:
cryptsetup luksKillSlot /dev/sda5 7
Create temporary random key for slot:
dd if=/dev/sda5 of=luks-secret.key bs=1 count=4096
Assign key to slot 7:
cryptsetup luksAddKey /dev/sda5 luks-secret.key --key-slot 7
Enroll your YubiKey; note: -d = device, -s = slot:
yubikey-luks-enroll -d /dev/sda5 -s 7
It will ask you for password (use the original passphrase you used to encrypt the disk) It will ask you for a new password. It will ask you to enter it a second time. It will ask you for a new passphrase.
Shred your temporary key file:
shred --remove --zero luks-secret.key
Reboot:
reboot
When logging in you can type your really crazy long passphrase without the yubi key and gain entry. If you are in hostile place simply plugin your yubikey and enter your new password. It will only authenticate if the yubikey is plugged directly into your laptop. When you leave your laptop take your yubikey with you to prevent any shoulder surfers from gaining access even if they have your new pass.
Hope this helps noobs like me.
very usefull
Any thoughts on a real two-factor LUKS mechanism with the Yubikey? i.e., you have to enter a password AND use the yubikey to authenticate?
Hi ! I'm trying to implement this but I'm not sure why I don't get the login screen with the yubikey hint. I tried to install everything as explained on a Linux Mint 17.1 with LUKS & LVM. I can register the slots fine but the script stayed in /usr/share/yubikey-luks/ykluks-keyscript - I tried to copy it manually to /sbin/ without any success. Wondering if it was my drive structure I ended-up reinstalling and now have an UEFI GTP boot (sda1 vfat -> sda2 ext2 which starts the unencryption process).
Was I wrong and your steps are to be done during initial install ?
Should I mount sda2 to change something in the grub config (and how)?
I'm running out of options so your help will be greatly appreciated!
It's me again and I've tried something else. I logged in as root and uninstalled + reinstalled the package, noticing there was a message about config* not found in /boot ! So I mounted my /dev/sda2 as /boot and reinstalled without this error. The next error was /etc/fstab is missing information about my root partition - a consequence of my reinstalling that I didn't fix at the time. So I'll try first with /dev/mapper/sda3_crypt and come back. NB: I also got another error at the end about unsupported locale (fr_FR.utf8), I tried switching to several others (en_US,en_US.utf8,en_US.iso*) with the same message.
Well, back to report my screw-up. Putting the wrong root messed the initramfs, now failing to mount the vg and dropping only to a basic shell. I loaded the live usb to access.the sda2 and unencrypt sda3 but no easy way to revert my mistake. Will start from scratch and separate the uefi, boot, home and /. Will then try again to see were my mistake was.
Me again. Finally, I'm glad to report everything went well on a fresh install ! Here are the steps that may help others "get it right" from the start.
Do a fresh "Mint 17.1" install with automatic steps for LVM encryption (pick a strong passphrase and wipe the drive).
Press Ctrl+F2 to log as root, follow the steps in this tutorial where you can use the enroll script with -d /dev/sda3 -s 1 (for a standard Mint 17.1 install as /dev/sda1 will be the (U)EFI partition and /dev/sda2 will be the Ext2 partition mounted as /Boot).
Then the passwords entered twice will be your new passwphrase + yubikey, the 3rd password has to match the passphrase in the LUKS Slot 0.
If you get a "locale not found" error, no impact for me but then I'm used to avoiding the keyboard letters/digits that differ between layouts (ie: qwzm).
Reboot and try your new passphrase + yubikey at the Mint PBA Login. Note: only the sucess messages will be shown as text (no visible hint about using a yubikey).
Last word: many thanks to the OP and PrivacyIdea for putting this package up, this is fantastic work.
I already have my installation of Linux Mint encrypted with LUKS, does this add a Yubikey to the current encryption?
Hi,
It works perfect on system boot. But it didn't work if I try this after boot, e.g. to decrypt a data partition.
Is this possibly?
Midyr
To mount the LUKS partition after boot use the following commands:
echo "Password: " && read -s challenge
ykchalresp -2 "$challenge" | sudo cryptsetup luksOpen /dev/sdb1 mydevice -
sudo mkdir -p /mnt/mydevice
sudo mount /dev/mapper/mydevice /mnt/mydevice
unset challenge
To unmount partition:
sudo umount /mnt/mydevice
sudo rm -rf /mnt/mydevice
sudo cryptsetup luksClose mydevice
Hi,
on Ubuntu 18.04 this works like a charm for one disk.
On my desktop however I have two encrypted disks, and the yubikey-supported decryption only works for the first disk, for the second I need the conventional password, in spite of having enrolled the key there, too.
What is the trick to decrypt two encrypted disks with yubikey-support?
---Markus
I followed the instructions, and everything worked flawlessly untill I rebooted and was promted to insert the yubikey. The old password still works, but no combination of inserting the yubikey, pressing its button and typing the new password works. They all end up at unsuccessful attempts.
How exactly am i supposed to give the new password, run it through the yubikey and get access to the disk? Any one who can give it in baby steps?