If you’ve delved into the realm of hardware-based two factor authentication (such as the Yubikey), you know how challenging those devices can be to get working on certain instances. One such instance is when dealing with a Linux drive encrypted with LUKS.
Why would you want to use such a setup? For many, the idea of having a physical key as the only way to unlock an encrypted drive equates to the most secure means available (at the moment). With this setup, the only way to encrypt the drive is with the physical key. It makes sense. However, making this work with a fully encrypted Linux drive isn’t a walk in the park.
SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)
Fortunately, there is a way to make this happen. Let me show you.
What you need
You obviously need a Yubikey device. You also need a Linux drive already encrypted with LUKS. And that’s it.
Be warned, you should practice this on a non-production machine. Make sure it works for you, before using it on a system that houses precious data and services. Also, this won’t overwrite your current encryption password, so you have to continue using that as well.
I’ll demonstrate on Ubuntu Server 18.04.
Note: As of this writing, the process outlined below does not work on Ubuntu 19.04.
PrivacyIdea is a two-factor, multi-tenancy/multi-instance authentication system. In order to install it, you must first add the necessary PPA. Within that repository is the yubikey-luks package necessary for this to work. Here’s how to add the repository and install the software:
- Open a terminal window.
- Add the PPA with the command sudo add-apt-repository ppa:privacyidea/privacyidea.
- Update apt with the command sudo apt-get update.
- Install the package with the command sudo apt-get install yubikey-luks.
Install Yubikey Package
Next, we have to install the actual Yubikey Personalization software. Install the package with the following command:
sudo apt-get install yubikey-personalization
Program and enroll the Yubikey slot
For the next step, we must program the Yubikey slot for HMAC-SHA1. This process erases the previous configuration (which is, by default, empty).
Warning: If you use HMAC-SHA1 for anything else, do not run this command (as it will erase your configuration).
The command to program the slot is:
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
Now we enroll the Yubikey slot by appending the Yubikey challenge response as a decryption key. The command to run will require you to know where the encrypted volume is. Most likely, it will be something like sda3 or sda5. If you’re unsure, open the GNOME Disks utility (or issue the mount command) to confirm the partition path. If you use a newer system, the partition path will be along the lines of /dev/nvme0n1p3.
To enroll the key, issue the command:
sudo yubikey-luks-enroll -d /PARTITION/PATH -s 7
Where /PARTITION/PATH is the actual path to your encrypted partition. You will be asked a few questions, which will vary, depending on the version of the software that’s installed on your system.
Once you answer the prompts, the process is complete. Reboot your system (with your Yubikey inserted) and type your LUKS encryption password, followed by your Yubikey challenge password. When the drive is decrypted, remove your Yubikey, and you’re good to go.