Are those scripts and strong passphrase generation compatible with yubikey-luks ?

[stman]

Hello.

This is a very simple question :

Do the way you compute the passphrase with the yubikey is the same as the "yubikey-luks" modules that we usually use to cypher the filesystem of an install under ubuntu ?

Meaning, can it be used to unlock standalone partition on removable medias for example, of backups of such luks partition of backup hard drive with the yubikey itself ?

[Vincent43]

Yes but only if you enabled both CONCATENATE=1 and HASH=1 in yubikey-luks config while enrolling passphrase. I may prepare ubuntu/debian version of this project in future when I have a time.

[stman]

Thank you for this precise answer. And when using the following default command line to enroll a yubikey on a LUKS partition, after installing the "yubikey-luks" package with

sudo apt-get install yubikey-luks

without editing anything (Using its default configuration), and enrolling the yubikey with :

sudo yubikey-luks-enroll -d /dev/sda3 -s 7 command, is it the case ? Do those options Contatenate and Hash are set properly ?

Meaning, can I use your script to unlock a volume of such luks partition, of which I have lost the main passphrase of slot 0, but I still have the yubikey and the yubikey challenge password for the slot 7 where it was enrolled ?

For unknown reasons, when installing the "yubikey luks" package as I did, the command yubikey-luks-open is not included. It sucks.

This is why I am asking you all this.

At worst, I will have to compute the corresponding passphrase manually with yubikey challenge test utility, to enter it as a passphrase, but I even ignore how to do it if I don't know what is the underlying formula.

Thank for your help, as you seem to master these things.

[Vincent43]

No, both options I mentioned default to 0 so your passphrase isn't compatible with this project.

For unknown reasons, when installing the "yubikey luks" package as I did, the command yubikey-luks-open is not included. It sucks.

What distro are you using? yubikey-luks-open is available only in ubuntu 19.04 or debian 10. If you use older distro you may install it from there. Keep in mind that if you want to unlock volume in initramfs during boot you have to adjust your config as it changed in new release.

[Vincent43]

Hm, it seems that ubuntu/debian packages mistakenly install yubikey-luks-open to /usr/lib instead of /usr/bin which means you have to invoke it with full path like /usr/lib/yubikey-luks-open rather than yubikey-luks-open.

[stman]

Thank a lot for all your precise explanations. I've read the yubikey-luks package config file, and the default config sets those two variables to zero.

Meaning that the effective passphrase generated is just the output of the challenge function of the raw password. I could finaly mount the volume entering this string and it worked.

yubikey-luks folks could have included a small documentation explaining all this rapidely, that there are four different modes to generate the long passphrase from the challenge from the password.

And yes, the mode you propose by default for your package is therefore the most secure because it generates the longest string. Why do most crypto folks always set by default the weakest configurations ... LOL And why don't the feed a small documentation...

Kind regards,

Frederic.