2

I'm trying to use a Yubikey 4 as a second factor to access a LUKS-encrypted USB HDD. Here's how far I've gotten:

I'm using yubikey-luks to add my HMAC-SHA1 hashed password to slot 7 of the device.

  • Problem: cryptsetup only challenges the yubikey on boot, and I'm opening the device once logged in.

However, I can use ykchalresp to manually challenge my Yubikey.

  • Problem:
  • That involves inputing my passphrase in plain text into a terminal.
  • Even if I get past that, I don't know a way to conveniently pipe/input that to cryptsetup.

I've thought of writing the hashed passphrase to a file and using it as --key-file, but that sounds like a bad idea since I'll have the key to my device laying around.

Please let me know if I'm formatting a command wrong, or if you have a way around any of my problems!

Christopher Richez
  • 21
  • 1
  • 5

2 Answers2

2

I've done exactly what you are looking to do. The way I did it is outlined below. Is it the correct way? Well... that's up for debate, but it works for me. Hope it helps you. Also, I'm not on Ubuntu, but it should work the same on Ubuntu

First, I setup Yubikey configuration by editing /etc/ykfde.conf set YKFDE_CHALLENGE to a long random string like 40 characters or so. It doesn't matter what it is, just make sure it's random. This allows me to decrypt my drive without it asking me for a secret password. Also, set YKFDE_CHALLENGE_SLOT to whatever slot on your Yubikey you want to use. (Make sure you've setup your Yubikey for HMAC-SHA1 challenge response on that slot)

Next, I setup my drive to be encrypted with the following commands:
(this assumes that you've already partitioned your drive with fdisk or a similar utility)

# This will ask you for a password. Set a password so that you
# can decrypt the drive without your Yubikey
sudo cryptsetup luksFormat /dev/sda1

# Next, enroll the Yubikey so that it can decrypt it as well
# When required, touch your Yubikey so it can get a challenge-response
# It'll ask for an existing password, just enter the one you set in the last command
sudo ykfde-enroll -d /dev/sda1 -s 1

# Next decrypt the drive and add a file system
# Enter the password you set in the first command
sudo cryptsetup open /dev/sda1 drive
sudo mkfs.ext4 /dev/mapper/drive

After all the setup was done, I created a file called mountDrive.sh in my home directory as follows:

. /etc/ykfde.conf
ykchalresp -2 "$YKFDE_CHALLENGE" | sudo cryptsetup open /dev/sda1 drive
sudo mount /dev/mapper/drive /run/mount/

Now, I simply run sh mountDrive.sh
My Yubikey flashes, I tap it, and then my drive is mounted at /run/mount

Obviously, you'd need to change /dev/sda1 to whatever your drive device is and change /run/mount to wherever you want to mount your drive

Also, the ykchalresp -2 command tells it to use slot 2 on my Yubikey. Change that to whatever slot you have configured in your /etc/ykfde.conf file

One more thing is that I setup /etc/sudoers so that I can use sudo without having to type in my password. Perhaps there is a better way to do it without having to use sudo to decrypt and mount your drive... not sure... anyway, here's how I set that up:

Add %wheel ALL=(ALL) NOPASSWD: ALL to the /etc/sudoers file.
Add your account to the wheel group like:

me=`whoami`; sudo usermod -a -G wheel "$me"
Ray Perea
  • 121
  • 4
1

i suggest you to use this small nice project: yubikey-full-disk-encryption on GitHub,

It is a collection of scripts to enroll and open an encrypted device. The README.md documents fairly well what you need to do. It also has the instruction to setup auto-decrypt with a Yubikey on boot.

Basically, you need to do the following:

  • git clone/download the project and cd to its folder
  • sudo make install installs the project
  • you should modify the configuration file in /etc/ykdfe.con, in particular I modified the following options
    • YKFDE_DISK_UUID (required, you can get it with the command blkid /dev/sdX, where /dev/sdX is the name of your external device)
    • YKFDE_LUKS_NAME(required, a good name is luks-<uuid-of-the encrypted-volume>)
    • YKFDE_CHALLENGE(optional, but you need it to enable 2FA)
    • YKFDE_CHALLENGE_SLOT (optional, by default it is set to 1, but remember that slot 1 contains the configuration for Yubikey OTP
    • YKFDE_CHALLENGE_PASSWORD_NEEDED, if you want to also input your password (so that the Yubikey acts as second-factor authentication, instead of being enough to unlock the volume by itself)

Then you can follow the instruction in the README.md to set up the Yubikey challenge response and add it to the encrypted volume as an additional passphrase.

In the end I advise you to do a make test that will test the configuration.

I've got my Yubikey working with an encrypted loop device, so I think it should also work with external HDD.

Hope this helps.

CristianCantoro
  • 141
  • 5