I can't the `ykfde` hook to work, but `ykfde-open` does.

[kminehart]

The exact error message I get is: [2] No key available with this passphrase.

Which i know usually indicates an incorrect password. But it works when using ykfde-open on a live USB?

• On a brand new install, running on the Arch live USB, I followed the instructions for encrypting my root partition (/dev/nvme0n1p2) with ykfde-format and everything seemed to work fine. I'm able to open it with ykfde-open -d /dev/nvme0n1p2 -n root.
• I've added all of the hooks for dm-crypt and before the encrypt hook I added ykfde.
• I've added a /etc/vconsole.conf and set KEYMAP=us then ran mkinitcpio -P. I don't think this is a keymap issue; when in other plaintext prompts (like the fallback fs) I types my password and it is correct. I could be wrong but this doesn't seem like the culprit to me.
• When I try just cryptsetup open /dev/nvme0n1p2 root, it doesn't accept the same passphrase as ykfde-open. I don't know fully how this works but I personally would expect this if not for this language in the readme: Adding ykfde hook before encrypt hook will allow for a safe fallback in case of ykfde misconfiguration.. I'm assuming this is so that you can continue to use an older luks passphrase as a fallback and not that you can use the passphrase set by ykfde-format or ykfde-enroll, right?
• The exact error message I get is: [2] No key available with this passphrase.
• This message occurs with or without the yubikey inserted; I'm never prompted to press the key.

My kernel parameters are as such:

root=/dev/mapper/root cryptdevice=UUID={}-{}-{}-{}-{}:root rw

• I'm confident that this is the correct UUID because I didn't transpose it, I echod it straight to refind_linux.conf from /dev/disk/by-uuid. Also, when being prompted for the passphrase, the prompt prints the correct drive name that matches the UUID (/dev/nvme0n1p2).

What's weird is that everything works normally with ykde-open. I have another laptop setup with this same key in this exact same way (as far as I can tell) and I don't have any issues with it. What am I doing wrong? :thinking:

[agherzan]

I personally can't see the issue either. I'll think about it.

[kminehart]

I was going to try to get it to work by setting this up with just cryptsetup and without ykfde, and then using ykfde-enroll to enroll it on an existing luks encrypted volume and seeing if that works. Maybe there's a bug in ykfde-format?

[ghost91-]

Just tried to get this to work, too, but I seem to be running into the same issue.

[Vincent43]

Adding ykfde hook before encrypt hook will allow for a safe fallback in case of ykfde misconfiguration.. I'm assuming this is so that you can continue to use an older luks passphrase as a fallback and not that you can use the passphrase set by ykfde-format or ykfde-enroll, right?

yes this comment is about using elder luks passphrase.

This message occurs with or without the yubikey inserted; I'm never prompted to press the key.

I think that for some reason yubikey isn't detected in your initramfs environment and ykfde asks for fallback (non yubikey related) password. You may enable debug mode to confirm this.

[kminehart]

Yup, that looks to be it. I just did everything with a normal cryptsetup without ykfde and got it working.

luksDump shows only a key on keyslot 0.

I ran: sudo ykfde-enroll -d /dev/nvme0n1p2 -s 2 and it prompted me for the passphrase on the existing luks keyslot which I thought was weird.

Now luksdump shows

Keyslots:
  0: luks2
    Key:        512 bits
    Priority:   normal
    Cipher:     aes-xts-plain64
    Cipher key: 512 bits
    PBKDF:      argon2id
    Time cost:  11
    Memory:     1048576
    Threads:    4
    Salt:       d9 b6 19 6d 37 76 bb 00 3f 42 5f b6 2d 78 2f 4b
                e4 98 38 ce 5d 16 97 be 6a 00 59 b3 44 71 ec 11
    AF stripes: 4000
    AF hash:    sha256
    Area offset:32768 [bytes]
    Area length:258048 [bytes]
    Digest ID:  0
  2: luks2
    Key:        512 bits
    Priority:   normal
    Cipher:     aes-xts-plain64
    Cipher key: 512 bits
    PBKDF:      argon2id
    Time cost:  11
    Memory:     1048576
    Threads:    4
    Salt:       4a e4 c8 94 75 8e 21 a6 68 71 df f5 be 90 40 db
                b5 f6 85 f9 c6 75 d7 41 39 6c d6 7c ad c2 60 6d
    AF stripes: 4000
    AF hash:    sha256
    Area offset:290816 [bytes]
    Area length:258048 [bytes]
    Digest ID:  0

which I think is expected.

My mkinitcpio.conf has: HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block ykfde encrypt filesystems fsck)

and when I ran mkinitcpio -P and rebooted, I typed in my password, which worked and didn't prompt me for my yubikey. So I think your theory sounds accurate; I'll try enabling debug mode to confirm 100%.

[kminehart]

Yup confirmed, after it loaded the ykfde hook and asked for my password it just said decrypting with cyptsetup luksOpen ...

This might be relevant but during install I intentionally skipped this step:

ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible -ochal-btn-trig

because I have ykfde on another laptop and already ran this. I wanted to be able to use this key for both laptops.

[Vincent43]

Yup confirmed, after it loaded the ykfde hook and asked for my password it just said decrypting with cyptsetup luksOpen ...

do you mean in debug mode? wasn't there any messages about failures?

Did you enabled 1FA or 2FA mode in config? This step isn't optional for initramfs hook while ykfde-open can work without it.

[kminehart]

do you mean in debug mode? wasn't there any messages about failures?

Yeah, debug mode. No logs about failures.

:: running hook [ykfde]
 > modprobing dm-crypt
Attempt #1/5: crypsetup of /dev/nvme0n1p2:
 > Passphrase needed to unlock device.
  Enter passphrase: {visible password}
> Passing ... to 'cryptsetup'
> Decrpyting with 'cryptsetup luksOpen /dev/nvme0n1p2 root' ...
  Decryption was successful.
:: running hook [encrypt]
Device root alreadey exists. not doing any crypt setup.

my ykdfe.conf is all default as the defaults looked like what I wanted. I'll try manually setting them and seeing if that helps.

[kminehart]

oh. well that's what did it. I edited /etc/ykfde.conf and just uncommented these lines:

# Use 'Manual mode with secret challenge (2FA)'.
YKFDE_CHALLENGE_PASSWORD_NEEDED="1"

# YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode.
# Possible values are "1" or "2". Defaults to "2".
YKFDE_CHALLENGE_SLOT="2"

[Vincent43]

Yes it's not the first time someone missed editing config part which is required step to use the hook. I guess wee need to emphasize that in readme section.

[kminehart]

makes sense. I think my assumption was that the commented values were the defaults so I could just leave them commented :sweat_smile: I definitely opened it, read it, and said, "yep that looks fine to me."

[kminehart]

thanks for the help! i appreciate it a lot.

[ghost91-]

Ah, that's also what's tripped me up. I think the confusing bit is that configs very often use the default values for those things that are commented out. So I assumed this was the case here, too. Of course, the config even says ### *REQUIRED* ###, but I somehow missed that. So yeah, maybe more clear instructions that these values have to be set manually could help.