Closed kminehart closed 11 months ago
I personally can't see the issue either. I'll think about it.
I was going to try to get it to work by setting this up with just cryptsetup and without ykfde, and then using ykfde-enroll
to enroll it on an existing luks encrypted volume and seeing if that works. Maybe there's a bug in ykfde-format
?
Just tried to get this to work, too, but I seem to be running into the same issue.
Adding ykfde hook before encrypt hook will allow for a safe fallback in case of ykfde misconfiguration.. I'm assuming this is so that you can continue to use an older luks passphrase as a fallback and not that you can use the passphrase set by ykfde-format or ykfde-enroll, right?
yes this comment is about using elder luks passphrase.
This message occurs with or without the yubikey inserted; I'm never prompted to press the key.
I think that for some reason yubikey isn't detected in your initramfs environment and ykfde asks for fallback (non yubikey related) password. You may enable debug mode to confirm this.
Yup, that looks to be it. I just did everything with a normal cryptsetup without ykfde and got it working.
luksDump
shows only a key on keyslot 0
.
I ran: sudo ykfde-enroll -d /dev/nvme0n1p2 -s 2
and it prompted me for the passphrase on the existing luks keyslot
which I thought was weird.
Now luksdump
shows
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 11
Memory: 1048576
Threads: 4
Salt: d9 b6 19 6d 37 76 bb 00 3f 42 5f b6 2d 78 2f 4b
e4 98 38 ce 5d 16 97 be 6a 00 59 b3 44 71 ec 11
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
2: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 11
Memory: 1048576
Threads: 4
Salt: 4a e4 c8 94 75 8e 21 a6 68 71 df f5 be 90 40 db
b5 f6 85 f9 c6 75 d7 41 39 6c d6 7c ad c2 60 6d
AF stripes: 4000
AF hash: sha256
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
which I think is expected.
My mkinitcpio.conf
has: HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block ykfde encrypt filesystems fsck)
and when I ran mkinitcpio -P
and rebooted, I typed in my password, which worked and didn't prompt me for my yubikey. So I think your theory sounds accurate; I'll try enabling debug mode to confirm 100%.
Yup confirmed, after it loaded the ykfde
hook and asked for my password it just said decrypting with cyptsetup luksOpen ...
This might be relevant but during install I intentionally skipped this step:
ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible -ochal-btn-trig
because I have ykfde
on another laptop and already ran this. I wanted to be able to use this key for both laptops.
Yup confirmed, after it loaded the ykfde hook and asked for my password it just said decrypting with cyptsetup luksOpen ...
do you mean in debug mode? wasn't there any messages about failures?
Did you enabled 1FA or 2FA mode in config? This step isn't optional for initramfs hook while ykfde-open can work without it.
do you mean in debug mode? wasn't there any messages about failures?
Yeah, debug mode. No logs about failures.
:: running hook [ykfde]
> modprobing dm-crypt
Attempt #1/5: crypsetup of /dev/nvme0n1p2:
> Passphrase needed to unlock device.
Enter passphrase: {visible password}
> Passing ... to 'cryptsetup'
> Decrpyting with 'cryptsetup luksOpen /dev/nvme0n1p2 root' ...
Decryption was successful.
:: running hook [encrypt]
Device root alreadey exists. not doing any crypt setup.
my ykdfe.conf
is all default as the defaults looked like what I wanted. I'll try manually setting them and seeing if that helps.
oh. well that's what did it. I edited /etc/ykfde.conf and just uncommented these lines:
# Use 'Manual mode with secret challenge (2FA)'.
YKFDE_CHALLENGE_PASSWORD_NEEDED="1"
# YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode.
# Possible values are "1" or "2". Defaults to "2".
YKFDE_CHALLENGE_SLOT="2"
Yes it's not the first time someone missed editing config part which is required step to use the hook. I guess wee need to emphasize that in readme section.
makes sense. I think my assumption was that the commented values were the defaults so I could just leave them commented :sweat_smile: I definitely opened it, read it, and said, "yep that looks fine to me."
thanks for the help! i appreciate it a lot.
Ah, that's also what's tripped me up. I think the confusing bit is that configs very often use the default values for those things that are commented out. So I assumed this was the case here, too. Of course, the config even says ### *REQUIRED* ###
, but I somehow missed that. So yeah, maybe more clear instructions that these values have to be set manually could help.
The exact error message I get is:
[2] No key available with this passphrase.
Which i know usually indicates an incorrect password. But it works when using
ykfde-open
on a live USB?ykfde-format
and everything seemed to work fine. I'm able to open it withykfde-open -d /dev/nvme0n1p2 -n root
.encrypt
hook I addedykfde
./etc/vconsole.conf
and setKEYMAP=us
then ranmkinitcpio -P
. I don't think this is a keymap issue; when in other plaintext prompts (like the fallback fs) I types my password and it is correct. I could be wrong but this doesn't seem like the culprit to me.cryptsetup open /dev/nvme0n1p2 root
, it doesn't accept the same passphrase asykfde-open
. I don't know fully how this works but I personally would expect this if not for this language in the readme:Adding ykfde hook before encrypt hook will allow for a safe fallback in case of ykfde misconfiguration.
. I'm assuming this is so that you can continue to use an older luks passphrase as a fallback and not that you can use the passphrase set byykfde-format
orykfde-enroll
, right?[2] No key available with this passphrase.
My kernel parameters are as such:
What's weird is that everything works normally with
ykde-open
. I have another laptop setup with this same key in this exact same way (as far as I can tell) and I don't have any issues with it. What am I doing wrong? :thinking: