Two factor authentication with Yubikey for harddisk encryption with LUKS


by Yubico

The yubikey is a cool device that is around for a while and several of us know it and love it. It is a device that is recognizes as a USB HID device and can emit one time passwords on a button press.

Quite for a while the yubikey supports a challenge response mode, where the computer can send a challenge to the yubikey and the yubikey will answer with a response, that is calculated using HMAC-SHA1.

In this howto I will show, how you can use the yubikey to protect your encrypted harddisk and thus addind two factor authentication to your pre boot authentication.

The user enters a password, this password is transmitted to the yubikey as a challenge and the response is sent back. A LUKS key slot holds the response, so that in terms of LUKS the response acts as the slot passphrase.

Getting it all togeather

This solution is based on my github project yubikey-luks. You can either fetch this project in source or you can use the repository at launchpad where I uploaded a ready made package for Ubuntu 14.04LTS. This solution works fine with Ubuntu 14.04, but it can also run on other debian-like distributions. I assume that you are running Ubuntu 14.04.

Add the repository to your system:

add-apt-repository ppa:privacyidea/privacyidea

Rrefresh package information and install the tool:

apt-get update
apt-get install yubikey-luks

Enroll Yubikey

Insert your yubikey and run the command:

ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible

The Yubikey has two slots. We use slot 2 so that you can use the slot 1 for "normal" OTP usage.

Add to LUKS

To assign the yubikey to your LUKS slot, use the command yubikey-luks-enroll. The script at /usr/bin/yubikey-luks-enroll assumes, that your LUKS partition is /dev/sda5. If it is another one, please copy the script to your homedirectory and adapt the line:

DISK="/dev/sda5"

The Yubikey response will be written to LUKS slot 7. Be sure to have a normal password availbale at some other slot. You can check this with:

cryptsetup luksDump

Insert the yubikey and run the yubikey-luks-enroll script. The script asks for a new password, which is the password, that is now sent to the yubikey to generate the repsone and which you will use at boot time.

Done.

Going live!


The boot screen welcomes you with the hint, to insert the yubikey. You can as well use old passphrases...


Data is retrieved from the Yubikey.


Success!

Conclusion

The bootup hooks were modified so that you can either login with a usual password or with the Yubikey plus a new password - thus increasing security in untrusted environments.

The two factor authenticaton management system privacyIDEA provides means to manage several yubikeys and assign those Yubikeys to different client machiens. Stay tuned!

Share this page:

9 Comment(s)

Add comment

Comments

From: sintrix at: 2014-07-22 18:15:36

Noob here plz help.

ubuntu 14.04 - standard encrypted lvm drive

root@ragnarok:~# yubikey-luks-enroll
Killing LUKS slot 7
Key 7 not active. Can't wipe.

root@ragnarok:~# cryptsetup luksDump /dev/sda5

Key Slot 0: ENABLED

Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

root@ragnarok:~# cryptsetup -v luksOpen /dev/sda5 7
Enter passphrase for /dev/sda5:
Key slot 0 unlocked.
Cannot use device /dev/sda5 which is in use (already mapped or mounted).
Command failed with code 16: Cannot use device /dev/sda5 which is in use (already mapped or mounted).

root@ragnarok:~# vi yubikey-luks-enroll (edited SLOT=0) :wq

root@ragnarok:~# yubikey-luks-enroll
Killing LUKS slot 0

WARNING!
========
This is the last keyslot. Device will become unusable after purging this key.

Are you sure? (Type uppercase yes): YES
Enter any remaining passphrase:
Adding yubikey to initrd
Please insert a yubikey and enter a new password:again:Cannot add key slot, all slots disabled and no volume key provided.

From: at: 2014-07-22 22:02:58

Never delete the last keyslot, unless you wish to make your disk unsable.

Deleting the last keyslot is only used, if you want to dump the harddisk with unaccessable data. If you deleted the last key slot, you should make a backup as long as the system is running.

Keep a keyslot (preferable keyslot 0) with a default passphrase. Use other keyslots to work with yubikey and password.

From: sintrix at: 2014-07-23 03:04:42

-Installation-

When encrypting your drive from install pick a very secure and complex passphrase!

Note: if you are not familiar with this topic, stop now and backup your data. Partitions can change from machine to machine along with slots. You can easily nuke or lock yourself out of your machine forever.

---From CLI---

Gain root:

sudo su -

Prepare YubiKey (make sure you plug it into your usb):

apt-get install yubikey-personalization ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible

Install PrivacyIdea yubikey package:

add-apt-repository ppa:privacyidea/privacyidea apt-get install yubikey-luks

Verify where your encrypted drive is (mine is /dev/sda5): Luks Dump the device and verify slot 7 is disabled:

cryptsetup -v luksDump /dev/sda5

To clear slot use:

cryptsetup luksKillSlot /dev/sda5 7

Create temporary random key for slot:

dd if=/dev/sda5 of=luks-secret.key bs=1 count=4096

Assign key to slot 7:

cryptsetup luksAddKey /dev/sda5 luks-secret.key --key-slot 7

Enroll your YubiKey; note: -d = device, -s = slot:

yubikey-luks-enroll -d /dev/sda5 -s 7

It will ask you for password (use the original passphrase you used to encrypt the disk) It will ask you for a new password. It will ask you to enter it a second time. It will ask you for a new passphrase.

Shred your temporary key file:

shred --remove --zero luks-secret.key

Reboot:

reboot

When logging in you can type your really crazy long passphrase without the yubi key and gain entry. If you are in hostile place simply plugin your yubikey and enter your new password. It will only authenticate if the yubikey is plugged directly into your laptop. When you leave your laptop take your yubikey with you to prevent any shoulder surfers from gaining access even if they have your new pass.

Hope this helps noobs like me.

From: Anonymous at: 2014-07-25 12:51:45

very usefull

From: Anonymous at: 2014-11-24 18:27:00

Any thoughts on a real two-factor LUKS mechanism with the Yubikey? i.e., you have to enter a password AND use the yubikey to authenticate?

From: Matt at: 2015-02-16 11:19:13

Hi ! I'm trying to implement this but I'm not sure why I don't get the login screen with the yubikey hint. I tried to install everything as explained on a Linux Mint 17.1 with LUKS & LVM. I can register the slots fine but the script stayed in /usr/share/yubikey-luks/ykluks-keyscript - I tried to copy it manually to /sbin/ without any success. Wondering if it was my drive structure I ended-up reinstalling and now have an UEFI GTP boot (sda1 vfat -> sda2 ext2 which starts the unencryption process).

Was I wrong and your steps are to be done during initial install ?

Should I mount sda2 to change something in the grub config (and how)?

I'm running out of options so your help will be greatly appreciated!

From: Matt at: 2015-02-16 11:44:42

It's me again and I've tried something else. I logged in as root and uninstalled + reinstalled the package, noticing there was a message about config* not found in /boot ! So I mounted my /dev/sda2 as /boot and reinstalled without this error. The next error was /etc/fstab is missing information about my root partition - a consequence of my reinstalling that I didn't fix at the time. So I'll try first with /dev/mapper/sda3_crypt and come back. NB: I also got another error at the end about unsupported locale (fr_FR.utf8), I tried switching to several others (en_US,en_US.utf8,en_US.iso*) with the same message.

From: Matt at: 2015-02-16 14:45:21

Well, back to report my screw-up. Putting the wrong root messed the initramfs, now failing to mount the vg and dropping only to a basic shell. I loaded the live usb to access.the sda2 and unencrypt sda3 but no easy way to revert my mistake. Will start from scratch and separate the uefi, boot, home and /. Will then try again to see were my mistake was.

From: Matt at: 2015-02-17 08:55:54

Me again. Finally, I'm glad to report everything went well on a fresh install ! Here are the steps that may help others "get it right" from the start.

Do a fresh "Mint 17.1" install with automatic steps for LVM encryption (pick a strong passphrase and wipe the drive).

Press Ctrl+F2 to log as root, follow the steps in this tutorial where you can use the enroll script with -d /dev/sda3 -s 1 (for a standard Mint 17.1 install as /dev/sda1 will be the (U)EFI partition and /dev/sda2 will be the Ext2 partition mounted as /Boot).

Then the passwords entered twice will be your new passwphrase + yubikey, the 3rd password has to match the passphrase in the LUKS Slot 0.

If you get a "locale not found" error, no impact for me but then I'm used to avoiding the keyboard letters/digits that differ between layouts (ie: qwzm).

Reboot and try your new passphrase + yubikey at the Mint PBA Login. Note: only the sucess messages will be shown as text (no visible hint about using a yubikey).

Last word: many thanks to the OP and PrivacyIdea for putting this package up, this is fantastic work.