Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up

an init for initramfs, that supports full disk encryption (fde) using the yubico yubikey AES challenge response

NotificationsYou must be signed in to change notification settings

flowolf/initramfs_ykfde

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 

Repository files navigation

an init for initramfs, that supports full disk encryption (fde) using the yubico yubikey AES challenge response

this script is meant as inspirational guideline on how one could realizefull disk encryption using a yubikey and the challenge response featuresupported by yubikeys after version 2.2(http://www.yubico.com/challenge-response)

Features of this script:

  • it is capable of using the yubikey challenge response to generate a password
  • it generates a new key on every bootup. (the challenge is changed)
  • it supports yubikey's slot 1 or 2
  • it supports two factor authentication (combining a user password and thechallenge response from the yubikey.

you will need (in your initramfs and in your system)

  •  ykchalresp (found on github, it needs to be available in your initramfs    https://github.com/Yubico/yubikey-personalization)
  •  uuidgen
  •  lvm
  •  cryptsetup

How this script works:

your system boots into initramfs and runs 'init' (this script), your kernelhas to deliver all dependencies, as this script is very basic.it further requests the challenge, stored on boot (on /boot/crypt-challenge)and combines the response with a usergiven password (that you have to provide)after unlocking your partitions it generates a new challenge, saves it to thebeforementioned file and sets the new combination of user password andresponse as new password on slot "3" of the luks header. the new password istemporaly written to /newroot/root/key which is assumed to be on yourencrypted device.

init

to initialize your crypt device to work with this script do the following:we will use slot 3 for the challenge response key, you can change that to anyavailable slot.

$ cryptsetup luksKillSlot /dev/yourdev 3 (optional, if you had a key there)

$ mount /boot

$ uuidgen > /boot/crypt-challenge

$ ykchalresp -2 "cat /boot/crypt-challenge" > ~/key

we assume that ~/key is located on your encrypted partition, otherwise thismight be a security risk!

$ vi ~/key (add a userpassword in front of the string)

you will type in this password in at every bootup, the script will combineyour passphrase and the yubikey response.

$ cryptsetup luksAddKey --key-slot 3 /dev/sda2 ~/key

$ rm ~/key

About

an init for initramfs, that supports full disk encryption (fde) using the yubico yubikey AES challenge response

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages


[8]ページ先頭

©2009-2025 Movatter.jp