No key available with passphrase, with existing encrypted fs.

[AcidLeroy]

I recently installed Arch Linux, and followed the guide to encrypt my root directory as described here: https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encrypting_devices_with_LUKS_mode. The command I used was:

cryptsetup -y -v luksFormat /dev/sda7

I have successfully booted and unlocked the drive with the passphrase I set up, and ran the command in a previous issue: https://github.com/agherzan/yubikey-full-disk-encryption/issues/36 without any issue.

However, when I attempt to enroll a key via ykfde-enroll -v -d /dev/sda7 -s 2 -o I get the error No key available with this passphrase.

I'm trying to avoid running luksFormat again because I don't want to have to redo everything I've already setup. Is the problem that I didn't encrypt the drive with the proper flags the first time, making it incompatible with the key enrollment? If so, do I simply need to reformat the drive? If I need to reformat, is there a way I can do this without losing my data?

Output of luksDump

[Vincent43]

I have successfully booted and unlocked the drive with the passphrase I set up, and ran the command in a previous issue:

You mean this one: sudo cryptsetup luksOpen --test-passphrase /dev/sda7?

However, when I attempt to enroll a key via ykfde-enroll -v -d /dev/sda7 -s 2 -o I get the error No key available with this passphrase.

-o is needed when your existing, old password was enrolled with ykfde. I guess it wasn't the case when you ran cryptsetup -y -v luksFormat /dev/sda7? Could you try omitting -o like ykfde-enroll -v -d /dev/sda7 -s 2?

[AcidLeroy]

@Vincent43 Yes that was the issue! This ended up working! What wasn't obvious to me though was that I needed to store the private key generated by the ykpersonalize command. As a result, I have a keyslot that will no longer work. Is it possible to remove this key if the password isn't known? Or will this forever take up key slot 2? Thanks!

[Vincent43]

Removing key from luks device can be done as described in readme

You shouldn't need to store secret key generated by ykpersonalize which was written to yubikey unless you want it for backup in case you lose the token (also that command doesn't even allow for storing this key as it is generated randomly, written to token and discarded). I think I don't understand what exactly the problem was.

[AcidLeroy]

@Vincent43, I'm going to close this issue and open another since it's technically a different question.

[AcidLeroy]

You shouldn't need to store secret key generated by ykpersonalize

@Vincent43 I thought you were supposed to put the secret token generated here: https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde.conf#L8

I also ended up using the secret to copy to another key so I would have a backup in case I lost one of my keys. I wish there was a way to do this from the command line instead of the GUI, but I didn't see any obvious clues in the -h option.

[Vincent43]

@Vincent43 I thought you were supposed to put the secret token generated here: https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde.conf#L8

@AcidLeroy YKFDE_CHALLENGE isn't secret token generated by ykpersonalize. Those are two different things used to create final passphrase. See description from readme:

The YubiKey response is a HMAC-SHA1 40 byte length string created from your provided challenge and 20 byte length secret key stored inside the token

[AcidLeroy]

@Vincent43 I see. So I can put whatever I want in the YKFDE_CHALLENGE? If I change the challenge, does that mean I need to regenerate initramfs and the key slots?

[Vincent43]

Yes, YKFDE_CHALLENGE is user provided secret. Depending on which mode you prefer (1FA or 2FA) you can store it in ykfde.conf (1FA) or provide in console each time you unlock the disk (2FA). If you chose to store it in ykfde.conf then you need to regenerate initramfs to use it on boot. Different YKFDE_CHALLENGE will generate different ykfde passphrase which needs to be enrolled in luks separately.

[AcidLeroy]

I see. I was mainly messing around with 1FA for starters to make sure I can get that working. I'll do these steps then: 1) change the challenge in the ykfd.conf to some non-empty value 2) Regenerate initramfs 3) delete old key slots (minus the password-protected key slot w/o yubikey) 4) Readd my keys with the new challenge 5) Reboot.

[Vincent43]

That should work. Keep in mind that you need to remove comment (#) beforeYKFDE_CHALLENGE.