- Notifications
You must be signed in to change notification settings - Fork1
flowolf/initramfs_ykfde
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
an init for initramfs, that supports full disk encryption (fde) using the yubico yubikey AES challenge response
this script is meant as inspirational guideline on how one could realizefull disk encryption using a yubikey and the challenge response featuresupported by yubikeys after version 2.2(http://www.yubico.com/challenge-response)
- it is capable of using the yubikey challenge response to generate a password
- it generates a new key on every bootup. (the challenge is changed)
- it supports yubikey's slot 1 or 2
- it supports two factor authentication (combining a user password and thechallenge response from the yubikey.
ykchalresp (found on github, it needs to be available in your initramfs https://github.com/Yubico/yubikey-personalization)uuidgenlvmcryptsetup
your system boots into initramfs and runs 'init' (this script), your kernelhas to deliver all dependencies, as this script is very basic.it further requests the challenge, stored on boot (on /boot/crypt-challenge)and combines the response with a usergiven password (that you have to provide)after unlocking your partitions it generates a new challenge, saves it to thebeforementioned file and sets the new combination of user password andresponse as new password on slot "3" of the luks header. the new password istemporaly written to /newroot/root/key which is assumed to be on yourencrypted device.
to initialize your crypt device to work with this script do the following:we will use slot 3 for the challenge response key, you can change that to anyavailable slot.
$ cryptsetup luksKillSlot /dev/yourdev 3 (optional, if you had a key there)
$ mount /boot
$ uuidgen > /boot/crypt-challenge
$ ykchalresp -2 "cat /boot/crypt-challenge" > ~/key
we assume that ~/key is located on your encrypted partition, otherwise thismight be a security risk!
$ vi ~/key (add a userpassword in front of the string)
you will type in this password in at every bootup, the script will combineyour passphrase and the yubikey response.
$ cryptsetup luksAddKey --key-slot 3 /dev/sda2 ~/key
$ rm ~/key