Closed ng0177 closed 4 years ago
Vincent43
commented
4 years ago If you formatted device with ykfde-format then you have ykfde password already enrolled, is there a reason you want to add another one with ykfde-enroll?
If you want to add another ykfde password to same device then use -o option like ykfde-enroll -d /dev/<device> -s 2 -o.
ng0177
commented
4 years ago Yes, I would like to allow access to the backup Yubikey and tried -o now with debug switched on:
$ sudo ykfde-enroll -d /dev/<device> -s 2 -o
INFO: Setting device to '/dev/<device>'.
INFO: Setting LUKS keyslot to '2'.
INFO: Using old YubiKey for passphrase
> YubiKey slot status 'ykinfo -q -2': 1
WARNING: This script will utilize LUKS keyslot '2' on device '/dev/<device>'. If this is not what you intended, please abort.
Running: 'ykchalresp -2 something'...
Remember to touch the device if necessary.
Received response: '1d83a7c6df79ee2070b7e4903e83268bdb742e98'
Please insert old YubiKey for existing keyslot.
> Please provide the old challenge.
Enter challenge: something
> Please repeat the old challenge.
Enter challenge: something
Running: 'ykchalresp -2 123452345234523453245'...
Remember to touch the old device if necessary.
Received response: '000000000001234213423142134'
> Passing '123452345234523453245' to 'cryptsetup'
> Adding new LUKS passphrase with 'cryptsetup --key-slot=2 luksAddKey /dev/<device>'...
No key available with this passphrase.Maybe, we have to solve another issue about the main Yubikey first - it seems it cannot open /dev/<device>. I might miss something fundamental. Could you sketch the process steps to encrypt and then use an empty standalone partition for me? Appreciate.
$ ykfde-open -d /dev/<device>
INFO: Setting device to '/dev/<device>'.
> YubiKey slot status 'ykinfo -q -2': 1
WARNING: This script will try to open the '' LUKS encrypted volume on drive '/dev/<device>' . If this is not what you intended, please abort.
Running: 'ykchalresp -2 something'...
Remember to touch the device if necessary.
Received response: '123413241234'
> Passing '123413241234' to 'udisksctl'
> Decrypting with 'udisksctl unlock -b '/dev/<device>''...
spawn udisksctl unlock -b /dev/<device>
Passphrase:
Unlocked /dev/<device> as /dev/dm-0.
expected boolean value but got ""
while executing
"if ("") {
spawn udisksctl mount -b $unlocked
expect eof
}"
invoked from within
"expect -re "Unlocked .* as (.*).\r\n" {
set unlocked $expect_out(1,string)
if ("") {
spawn udisksctl mount -b $unlocked
expect eof
}
}"
(file "/dev/fd/63" line 6)Are you sure the device isn't accessible? It shows Unlocked /dev/<device> as /dev/dm-0. If you want it to be automatically mounted runykfde-open -d /dev/<device> -m.
You can also try with sudo ykfde-open -d /dev/<device> -n <name>.
ng0177
commented
4 years ago Thanks. I overlooked it. I now tried -m option but it fails. I am not sure how to use the device name. When I try to mount manually, the type is unkown. Any advice?
$ ykfde-open -d /dev/<device> -m
INFO: Setting device to '/dev/<device>'.
INFO: Mounting device
> YubiKey slot status 'ykinfo -q -2': 1
WARNING: This script will try to open the '' LUKS encrypted volume on drive '/dev/<device>' . If this is not what you intended, please abort.
Running: 'ykchalresp -2 something'...
Remember to touch the device if necessary.
Received response: '123412341234123421'
> Passing '123412341234123421' to 'udisksctl'
> Decrypting with 'udisksctl unlock -b '/dev/<device>''...
spawn udisksctl unlock -b /dev/<device>
Passphrase:
Unlocked /dev/<device> as /dev/dm-0.
spawn udisksctl mount -b /dev/dm-0
Object /org/freedesktop/UDisks2/block_devices/dm_2d0 is not a mountable filesystem.You can choose <name> freely as you like, foobar or whatever. Did you created any filesystem on device after ykfde-fomat or is it totally empty? You may try:
sudo ykfde-open -d /dev/<device> -n <name>
sudo mkfs.ext4 /dev/mapper/<name>
sudo cryptsetup close /dev/mapper/<name>
ykfde-open -d /dev/<device> -mSorry for the delay. I succeeded now and put together this guideline for myself. Any comments or approval? Thanks.
How-To encrypt a dedicated partition
https://github.com/agherzan/yubikey-full-disk-encryption/issues/59
#1# create an empty partition i.e. w/o filesystem (click Next) using "Disks" to get a device name
#2# setup
$sudo pacman -Syu yubikey-full-disk-encryption
$sudo nano /etc/ykfde
YKFDE_CHALLENGE="something"
YKFDE_CHALLENGE_SLOT="2"
#3# just once to complete setup
$sudo ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha512 /dev/<device>
$sudo ykfde-open -d /dev/<device> -n <name>
$sudo mkfs.ext4 /dev/mapper/<name>
$sudo cryptsetup close /dev/mapper/<name>
#4# every time after boot; if hangs, then ctrl-c and try again
$ykfde-open -d /dev/<device> -n <name> -m # no sudo!?
$sudo chown $USER:$USER /run/media/$USER/......
#5# not needed if backup Yubikey created by yubikey-personalization-gui following
https://www.yubico.com/wp-content/uploads/2016/03/YubiKeyPersonalizationToolUserGuideMarch2016.pdf
$sudo ykfde-enroll -d /dev/<device> -o
#6# optional
$sudo cryptsetup luksDump /dev/<device>
It looks ok.
The YKFDE_CHALLENGE_SLOT="2" isn't needed as slot 2 is used anyway when this isn't set.
$ykfde-open -d /dev/
-n -m # no sudo!?
ykfde-open can work with and without sudo. with sudo it uses cryptsetup to open device, without sudo it uses udisks. I think it failed for you previously because you didn't setup any filesystem on device which udisks found confusing.
ng0177
commented
4 years ago Great. Great tool for many purposes. Appreciate all the help and support.
I followed these simple steps below under Arch/Manjaro but
ykfde-enrollfails and asks the question about an old LUKS passphrase that has never been set or required:Any ideas? Thanks!