As enhancing LUKS passphrase with user provided passwords is already implemented I think we can go step further and use this password as actual challenge provided at runtime instead of using one hardcoded in config.
Above will make the whole setup more robust and more secure as there will be no more stored secrets which can leak or be lost.
I think this behavior should be default for anyone who's using passwords already. Users will provide password before yubikey challenge-response instead. Those who don't use password will stay with challenge stored in config.
As enhancing LUKS passphrase with user provided passwords is already implemented I think we can go step further and use this password as actual challenge provided at runtime instead of using one hardcoded in config.
Above will make the whole setup more robust and more secure as there will be no more stored secrets which can leak or be lost.
I think this behavior should be default for anyone who's using passwords already. Users will provide password before yubikey challenge-response instead. Those who don't use password will stay with challenge stored in config.
Behavior of using password as challenge is already implemented in https://github.com/cornelinux/yubikey-luks , however it doesn't combine password as part of LUKS passphrase yet, see https://github.com/cornelinux/yubikey-luks/issues/15