Created
February 6, 2019 18:14
-
-
Save lichti/f01cd801b7fe22c933d6ceedc0f80c51 to your computer and use it in GitHub Desktop.
Using yubikey to unlock LUKS partitions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Using yubikey to unlock LUKS partitions | |
# My SDB3 is a partitions with luks, with lvm and ma root fs (/) | |
# My SDA1 ia my data partition with luks mounted at /data | |
# I will use yubikey as 2FA to unlock the SDB3 and the SDA1 will be unlocked by a key file | |
## On SDB3 | |
# Configure the slot two of yubikey to challenge mode | |
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible | |
# Find the slot that is free on sdb3 luks | |
sudo cryptsetup luksDump /dev/sdb3 | |
# Enable yubikey as 2FA at SDB3 | |
sudo yubikey-luks-enroll -s <slot luks> -c -d /dev/sdb3 | |
## On SDA1 | |
# Find the slot that is free on sda1 luks | |
sudo cryptsetup luksDump /dev/sda1 | |
# Create a random secret key file | |
sudo dd if=/dev/urandom of=/etc/sda1.key bs=512 count=4 | |
# Add the secret key file to a free slot on sba1 luks | |
sudo cryptsetup -S <slot luks> luksAddKey /dev/sda1 /etc/sda1.key | |
# Configure the key on sda1 entry into /etc/cryptab. Example: | |
data UUID=41938a76-ee31-4be9-86f5-e4d129810dcf /etc/sda1.key nofail | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment