Write the object that tells OpenSC that we have 20 retired key slots to the YubiKey. Apparently this makes the OSX Keychain utility crap itself when it sees this, so watch out!
echo -n C10114C20100FE00 | yubico-piv-tool -a write-object --id 0x5FC10C -i -
Generate a new private key, and require a touch on the device to use it.
yubico-piv-tool -a generate -s 8e --touch-policy=always -o public.pem
OpenSC needs there to be a certificate in the slot to go with the private key, even though nobody is ever going to use it...
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 8e -S '/CN=dm_crypt_key/' -i public.pem -o cert.pem
yubico-piv-tool -a import-certificate -s 8e -i cert.pem
Get 512 bits of random key material, and encrypt it for the public key we just generated on the yubikey
dd if=/dev/random bs=$((512/8)) count=1 | openssl rsautl -encrypt -inkey public.pem -pubin -out key.bin.enc -pkcs
Stash the encrypted key in the wasted space between the partition table and the start of the first partition, which for some reason wants to be 2048 sectors in... Plenty of room for 256 bytes of encrypted padded key
dd if=key.bin.enc of=/dev/sdb bs=256 seek=4
The command to either create or open the encrypted volume is the same: Get the encrypted key off of the device, have the yubikey decrypt it, and pass it into cryptsetup as a plain (non-hashed) 512-bit aes-xts-plain key
dd if=/dev/sdb bs=256 count=1 skip=4 | pkcs15-crypt --decipher --pkcs1 --raw | cryptsetup open /dev/sdb1 cryptic --type plain --hash plain --cipher aes-xts-plain --key-file=- --key-size 512
Now you can either create a new filesystem
mke2fs -T ext3 -m 0 /dev/mapper/cryptic
or mount an existing one
mount /dev/mapper/cryptic /mnt