Noob Install by noob :

-Installation-

When encrypting your drive from install pick a very secure and complex passphrase!

Note: if you are not familiar with this topic, stop now and backup your data. Partitions can change from machine to machine along with slots. You can easily nuke or lock yourself out of your machine forever.

---From CLI---

Gain root:

sudo su -

Prepare YubiKey (make sure you plug it into your usb):

apt-get install yubikey-personalization ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible

Install PrivacyIdea yubikey package:

add-apt-repository ppa:privacyidea/privacyidea apt-get install yubikey-luks

Verify where your encrypted drive is (mine is /dev/sda5): Luks Dump the device and verify slot 7 is disabled:

cryptsetup -v luksDump /dev/sda5

To clear slot use:

cryptsetup luksKillSlot /dev/sda5 7

Create temporary random key for slot:

dd if=/dev/sda5 of=luks-secret.key bs=1 count=4096

Assign key to slot 7:

cryptsetup luksAddKey /dev/sda5 luks-secret.key --key-slot 7

Enroll your YubiKey; note: -d = device, -s = slot:

yubikey-luks-enroll -d /dev/sda5 -s 7

It will ask you for password (use the original passphrase you used to encrypt the disk) It will ask you for a new password. It will ask you to enter it a second time. It will ask you for a new passphrase.

Shred your temporary key file:

shred --remove --zero luks-secret.key

Reboot:

reboot

When logging in you can type your really crazy long passphrase without the yubi key and gain entry. If you are in hostile place simply plugin your yubikey and enter your new password. It will only authenticate if the yubikey is plugged directly into your laptop. _When you leave your laptop take your yubikey with you to prevent any shoulder surfers from gaining access even if they have your new pass. _

Hope this helps noobs like me.