Skip to content

kfiducia/ykfde

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
README
README
 
 
cryptopenyk
cryptopenyk
 
 
ykcrypto.sh
ykcrypto.sh
 
 

Repository files navigation

ykfde - yubikey-based full disk encryption

This code has been contributed as a different way to do Challenge Response, 
rather than a fixed challenge given to the yubikey, the Challenge is requested
from the user at boot, then hashed. The response is given as input to LUKS.

This way your challenge isn't sitting in your unecrypted /boot

This code is based on Ubuntu 12.10 and has not been tested with other distros.

Quick start:

Note: This code is based on the Challenge/Response being configured on the second slot of your YubiKey.

First Install the perso tool:
apt-get install yubikey-personalization

Now get your crypto key for LUKS temporarily store this somewhere safe from comprimise:
ykchalresp -2 "enter your passphrase here" > yk.key

Add your keyfile to cryptsetup:
  First figure out which device you are working with:
  cat /etc/crypttab

Now add your keyfile (you can add a failover passphrase here, I make mine extrememly long and back it up)
cryptsetup luksAddKey /dev/sdXX yk.key

You can now remove that key file!
rm yk.key

Now we need to tell crypttab where to get your keyfile, your crypttab should be modified as follows:
sda_crypt /dev/sdXX yk.key luks,keyscript=/usr/local/sbin/ykcrypto.sh

Don't forget to put ykcrypt.sh in that location and make it executable:
mv ykcrypto.sh /usr/local/sbin/ykcrypto.sh
chmod a+x /usr/local/sbin/ykcrypto.sh

Next we have to modify the initramfs to add the perso tool. This could potentially lock out out of your machine,
so possibly make a backup of your initramfs in your /boot and have it available as a backup, you can also add it
as a backup to your grub config, I may add a help doc on that later.

Put cryptoyk into /etc/initramfs-tools/hooks/
Then make it executable
mv cryptoyk /etc/initramfs-tools/hooks/cryptoyk
chmod a+x /etc/initramfs-tools/hooks/cryptoyk

Now update your initramfs
update-initramfs -u all

Reboot! 

On bootup, you will be asked for your passphrase. Note, any phrase will be given to the YK 
and get a YK success, only the correct passphrase will unlock the disk.
An empty input will skip to the LUKS direct passphrase entry.



Limitations/bugs:
Initial version, still testing...

About

Yubikey full disk encryption

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%