Full disk encryption with Yubikey (Yubico key) for dracut
This enables you to automatically unlock a LUKS encrypted filesystem from
a systemd-enabled initramfs.
Requirements
To compile and use Yubikey full disk encryption you need:
- libyubikey-devel
- ykpers-devel
- iniparser-devel
- libarchive-devel
- cryptsetup-devel
- python-markdown
- systemd-devel
- keyutils-libs-devel
Additionally you will need to have make and pkg-config installed to
successfully compile.
Build and install
Building and installing is very easy. Just run:
make
Some distributions do have different names for markdown executable.
For Fedora you have to run:
make MD=markdown_py
Build command is followed by:
make install-dracut
This will place the files in their desired places in the filesystem.
Keep in mind that you need root privileges for installation, so switch
user or prepend the last command with sudo.
Usage
config files /etc/crypttab and /etc/ykfde.conf
Make sure systemd knows about your encrypted device by
adding a line to /etc/crypttab. It should read like:
mapping-name/dev/LUKS-device-
Usually there is already an entry for your device.
Update /etc/ykfde.conf with correct settings. Add the value of
mapping-name from above to device name in the general section. Then
add a new section with your key's decimal serial number containing the key
slot setting. The minimal file should look like this:
[general]
device name = crypt
[1234567]
luks slot = 1
Be warned: Do not remove or overwrite your interactive (regular) key! Keep that for backup and rescue - LUKS encrypted volumes have a total of 8 slots (from 0 to 7).
Key setup
ykfde will read its information from these files and understands some
additional options. Run ykfde --help for details. Then prepare
the key. Plug it in and make sure it is configured for HMAC-SHA1. This can
be done with ykpersonalize from terminal (package ykpers)
or with GUI application YubiKey Personalization Tool. After that, run:
ykfde
This will store a challenge in /etc/ykfde.d/ and add a new slot to
your LUKS device based on the /etc/ykfde.conf configuration. When
ykfde asks for a passphrase it requires a valid passphrase from a
previously available slot.
Alternatively, adding a key with second factor (foo in this example)
is as easy:
ykfde --new-2nd-factor foo
To update the challenge run:
ykfde --2nd-factor foo
And changing second factor (from foo to bar in this example) is
straight forward:
ykfde --2nd-factor foo --new-2nd-factor bar
The current and new second factor can be read from terminal, increasing
security by not displaying on display and not writing to shell history.
Use switches --ask-2nd-factor and --ask-new-2nd-factor for that.
Make sure to enable second factor in /etc/ykfde.conf.
cpio archive with challenges
Every time you update a challenge and/or a second factor run:
ykfde-cpio
This will write a cpio archive to /boot/ykfde-challenges.img containing
your current challenges. Enable systemd service ykfde to do this
automatically on every boot:
systemctl enable ykfde.service
dracut
Build the initramfs:
dracut -f
Boot loader
Make sure to load the cpio archive /boot/ykfde-challenges.img
as an additional initramfs. It has to be listed after microcode
updates (if available), but before main initramfs.
With grub you need to list ykfde-challenges.img in configuration
variable GRUB_EARLY_INITRD_LINUX_CUSTOM in /etc/default/grub:
GRUB_EARLY_INITRD_LINUX_CUSTOM="ykfde-challenges.img"
Then update your grub configuration by running:
grub-mkconfig -o /boot/grub/grub.cfg
A valid configuration for systemd-boot should be placed in
/boot/loader/entries/default.conf and look something like this:
title Default
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /ykfde-challenges.img
initrd /initramfs-linux.img
options root=... rw quiet
Reboot and have fun!