Yubikey LUKS setup for Ubuntu 22.04 LTS
$ sudo apt install yubikey-luks yubikey-personalization
$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
root@laptop:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 953,9G 0 disk
├─nvme0n1p1 259:1 0 512M 0 part /boot/efi
├─nvme0n1p2 259:2 0 732M 0 part /boot
└─nvme0n1p3 259:3 0 952,7G 0 part
└─nvme0n1p3_crypt 253:0 0 952,6G 0 crypt
├─vgubuntu-root 253:1 0 930,4G 0 lvm /
└─vgubuntu-swap_1 253:2 0 976M 0 lvm [SWAP]
In this case the name is nvme0n1p3
$ sudo cryptsetup luksDump /dev/nvme0n1p3
LUKS header information
Version: 2
Epoch: 4
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: ca5b1f00-27be-4058-af39-8e33ba9b533a
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Time cost: 8
Memory: 1048576
Threads: 4
Salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
There should be no 1: luks2 entry.
$ sudo yubikey-luks-enroll -d /dev/nvme0n1p3 -s 1
Remember the challenge/passphrase you used!
Change from
nvme0n1p3_crypt UUID=abcdefab-1234-abcd-abcd-123456789abc none luks,discard
To this
nvme0n1p3_crypt UUID=abcdefab-1234-abcd-abcd-123456789abc none luks,discard,keyscript=/usr/share/yubikey-luks/ykluks-keyscript
(the value abcdefab-1234-abcd-abcd-123456789abc will be the UUID of your disk)
If you want the machine to be unlocked only by the YubiKey, you can add the challenge/passphrase from the enrollment step to /etc/ykluks.cfg
Add a line with the challenge
YUBIKEY_CHALLENGE="YOUR PASSPHRASE HERE"
Replace the /usr/share/yubikey-luks/ykluks-keyscript from the yubikey-luks package with the file from this repo. The file from the 22.04 is broken ( the YUBIKEY_CHALLENGE part do not work! )
$sudo update-initramfs -u
Now you can:
- Boot without YubiKey and enter unlock password as normal or...
- Boot with the YubiKey inserted - the machine should then boot without user interaction (if the challenge is in ykluks.cfg)
- Boot to luks password prompt, insert YubiKey and enter challenge
Links:
yubikey-luks's People
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.