Cannot use Yubikey keyslot to manage keys

[HackSane]

It seems that a Yubikey keyslot can only be used to unlock on bootup, but not to manage LUKS once logged in, such as adding and changing keys. This would mean that you must keep a password-only LUKS keyslot to manage keys, which seems to defeat the purpose of the added security of a Yubikey. Unless there is a detail I am missing?

[Vincent43]

You can use yubikey-luks-open script for unlocking after bootup.

[HackSane]

Thanks, I wasn't clear on the usage for that command. However, it always attempts to open a container on /dev/sda3 even though that volume does not exist on my system.

$ yubikey-luks-open /dev/nvme0n1p3
This script will try opening yubikey-luks LUKS container on drive /dev/sda3 . If this is not what you >intended, exit now!
🔐 Enter password created with yubikey-luks-enroll: ************
spawn udisksctl unlock -b /dev/sda3
Error looking up object for device /dev/sda3
send: spawn id exp4 not open
while executing
""end -- "0164eadbffb7120714b9cae920ff71ff8f790c65

[Vincent43]

You have to tell the script which container you want to open, /dev/sda3 is example default. Use yubikey-luks-open -h to see what options are available.

[marrek-az]

HackSane, I believe you are correct. Keep in mind the maximum passphrase length is 512 characters (I think), so it should be possible to keep one in another slot without entirely negating the security provided by using a yubikey.