Asking for standard password instead of yubikey

[ranenvious]

For context, I have my computer setup for it's root partition to be encrypted, booting from UEFI, with an unencrypted /boot/efi partition of 500MB. I'm trying to set up yubikey encryption so that, if I have to leave my computer for a period of time, I can keep remote access in the event of a power cycle. (so stored challenge)

I followed the instructions line by line but despite that my computer always just asks for my normal LUKS password and when I type it in, it unlocks like I haven't even tried adding a yubikey to unlock it.

I kept my existing key slots as a backup at 1 and 2, and added my two yubikeys (always keep a backup and all that) to slots 4 and 5 of my luks partition.

my hooks are HOOKS="base udev autodetect modconf block keyboard keymap consolefont ykfde encrypt filesystems"

and I have regenerated my mkinitcpio with sudo mkinitcpio -P

I assume I'm missing something here but I can't see what as I followed the instructions basically verbatim on an install less than a day old. (endeavourOS if relevant) I won't pretend to know much of what I'm doing here beyond the broad stroke concepts but from everything I can see it should be working.

[Vincent43]

You may try enabling debug mode by removing # from https://github.com/agherzan/yubikey-full-disk-encryption/blob/master/src/ykfde.conf#L53 then regenerate mkinitcpio

If I understand correctly you have encrypted /boot and unencrypted /boot/efi - how do you copy kernels & initramfs from the former to the latter? Are you sure they're in sync?

[ranenvious]

okay so update, when I was having to deal with booting into my windows partition for a stupid peripheral (didn't work by the way, windows decided to bork itself completely for no reason, didn't even touch the drive it was on, this is why I'm on linux now) it DID ask me to insert my yubikey once, and worked flawlessly, but then I restarted again just now and it's asking for the password again. It may have had something to do with me changing my NVME ssd mode in the bios, I think I changed it back to RAID from ACHI when I was trying to get windows to work, but I haven't changed it back so I don't know why it would have stopped.

The only other thing I could think of is maybe it won't ask for my yubikey if it's already inserted? I've been leaving my key in the computer while I've been trying to work on this, but I removed it for a file transfer before I had to deal with the windows BS, and then it asked my for the key so I rushed to insert it.

As for the question, I'm going to be honest and say I don't know. I'm not extremely into the grit of encryption or low level computing and haven't really had to deal with that sort of stuff. I mean I do want my drive encrypted for basic privacy's sake, and unfortunately I frequently have to leave my computer and remote access it, which isn't a great combination, but being able to have it auto-decrypt when I want it to and stay encrypted without a password when I don't is much better than nothing. During my installation I just made two partitions, one as a fat32 /boot/efi flagged as a boot partition, and one containing the rest of the drive as a btrfs luks encrypted filesystem.

[Vincent43]

If you enable debug mode as I suggested above then you may see some messages on your screen during boot which could help understanding what's going on.

Keeping yubikey inserted all the time isn't a problem.

[ranenvious]

(I will enable debug mode as well but I just noticed this and wanted to go ahead and mention it) After paying closer attention during start up, (when my monitor decides to work, for some reason my GPU and monitor just do not like eachother most times during startup, unrelated to linux, it's a hardware thing this computer has always had) I noticed that ykfde DOES unlock my drive, after boot, I see the ykfde hook at the start of the linux boot cycle, right after I select my OS in grub. I'm guessing this is related to what you were talking about regarding syncing information between the EFI boot partition and the root partition but I have no idea how to do that, or why it worked properly previously.

I'll try to give it a shot with debug mode running soon but it's going to be busy today so I might not be able to. If I don't I should have access to the machine again sometime friday after next.

edit : also, if relevant, I looked at issue #53 and I was able to follow just about every step to no success, except for the last step of the last post, to use the command "sudo grub-install /dev/mydevice --efi-directory /boot" which gives me the error "grub-install: error: /boot/ doesn't look like an EFI partition." No clue if this is relevant or not, but I figured I'd mention it just in case

[Vincent43]

I noticed that ykfde DOES unlock my drive, after boot, I see the ykfde hook at the start of the linux boot cycle, right after I select my OS in grub.

Do you mean ykfde unlocks your drive but you are still asked for password afterwards?

"grub-install: error: /boot/ doesn't look like an EFI partition."

According to yours comments above efi partition is /boot/efi or did you changed it?

[ranenvious]

I noticed that ykfde DOES unlock my drive, after boot, I see the ykfde hook at the start of the linux boot cycle, right after I select my OS in grub.

Do you mean ykfde unlocks your drive but you are still asked for password afterwards?

When I type in my password to initially decrypt my drive, in the text that shows up immediately after pressing enter to decrypt, it shows a prompt to insert my yubikey (which is already inserted) hangs for a second or two, then continues. I think it's something with how Endeavour is setup, or maybe how I set it up, where it's two encryption layers or something. I think this because when I was first buggering about with FDE I removed the second key in the LUKS header of a relatively fresh endeavourOS install and then I would have to input my password twice, making me think the encryption is two fold somehow and the second entry in the header was an auto-decrypt thing so once you input the password once, there was a stored keyfile somewhere on disk that automatically handled the second layer. I've noticed on my laptop which is also endeavour and has FDE that after I type in my password it DOES hang immediately after wards in the same spot after loading the encrypt hook, so I do think it's some double layered encryption of some sort. (I have not messed with my laptop's LUKS at all) Might be completely off-base on this but it's the only guess I have based on what I can see and have experienced.

"grub-install: error: /boot/ doesn't look like an EFI partition." According to yours comments above efi partition is /boot/efi or did you changed it?

I followed the instructions in the issue that seemed to have a similar issue which involved changing your boot directory. After the command failed however I rolled back to how everything was prior since it didn't work though. I was just reporting that I tried another solution to a similar looking problem and got an error. I can't say whether that error is relevant or if the problems are related, just that they looked related and the solution in that thread didn't work for one reason or another.

[gustafla]

I have the same problem on my Arch setup. ykfde hook just asks for cryptsetup passphrase

My luks has a passphrase in slot 0 and ykfde-enroll challenge-response in slot 1.

Setting DBG=1 and regenerating the unified kernel image did not reveal anything interesting.

I usually mount my ESP to /efi and not /boot because I have an unified kernel image setup, so I wonder if that is the culprit?

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block ykfde encrypt filesystems fsck)

[gustafla]

If it helps I'm also using Secure Boot but since it's all running from a signed initramfs there shouldn't be a problem

For now, my workaround to have "2FA" is to type part of a passphrase and then trigger yubikey password to finish it off

[Vincent43]

Setting DBG=1 and regenerating the unified kernel image did not reveal anything interesting.

Are there any messages at all? Could you upload a photo?

Could you show your /etc/ykfde.conf? Did you uncomment YKFDE_CHALLENGE_PASSWORD_NEEDED="1"?

[gustafla]

YKFDE_CHALLENGE_PASSWORD_NEEDED="1"

Oh I am so sorry, I mistook that to be a default when left uncommented. Thank you for helping me out, now it works!

[ranenvious]

Sorry for taking so long to get back to this, I've had to catch up over the last few days since some personal stuff happened so I didn't have a lot of time to dedicate to working out this issue.

I did notice something though, as mentioned previously while it asks me for my password initially, immediately after that it is now, reliably, asking me to insert my yubikey to decrypt it again. Previously after entering my password for the first time on the initial prompt (before GRUB opened) I would get to grub, select my kernel, then a few lines would be written and it would pause after printing that it was loading an encryption tool then continue the boot process. Now however, after I select my kernel from grub if my yubikey is not inserted it prompts me to insert it, if I do then it takes a good 10-20 seconds decrypting before continuing the boot process. If I let the timeout elapse however, it prompts me for my password. Which is different behaviour than it had before, where it would automatically decrypt, presumably from some stored key that was decrypted from the first time it asked me for my password before entering GRUB.

I have no idea why my FDE is behaving like this as, outside of following the instructions here to add my keys, my disk encryption setup should be the exact same as a stock endeavourOS installation. (With a manually partitioned BTRFS LUKS as the root directory but the only thing that even prompted me to put in was a password to encrypt it with.)

[Vincent43]

Since you have /boot encrypted and don't have access to initramfs on early boot its grub which asks for your password first and grub doesn't support yubikey unlocking. After you unlock grub it loads initramfs where you need to unlock your disk again. Here's where you can use this project or use keyfile to unlock disk without any password.

To change that you would need to move /boot into efi partition and disable cryptodisk feature of grub. Only then you could unlock your disk with yubikey directly from early boot.

[ranenvious]

I don't believe my boot partition is encrypted. I manually made a 500MB /boot/efi partition when I was installing EOS and am booting with UEFI, not legacy BIOS, which from what I read shouldn't be able to be encrypted. Maybe I'm wrong, but in that case do you have a link for how to make a non-encrypted boot partition on a system with an encrypted one? I don't really care about keeping it encrypted but I have no idea how to go about completely making a new boot partition. (preferably without completely reinstalling my OS)

[Vincent43]

Note that I specifically wrote /boot not boot partition. On your system /boot and /boot/efi are on different partitions - the former is encrypted and the latter not. Initramfs are usually stored in /boot which means in your case they are encrypted and you need to use grub cryptodisk feature to decrypt them initially and grub doesn't support yubikey.

[ranenvious]

Ah, okay, in that case then how would I go about making /boot unencrypted? Would I need to create another seperate partition for /boot AND one for /boot/efi? (assuming I want to keep uefi boot of course)

[Vincent43]

It would be enough to change mountpoint of efi partition from /boot/efi to /boot. You also need to reinstall all kernels and grub.

[ranenvious]

if I move the partition to /boot will I still keep EFI boot? From everything I read when I was doing my manual arch install initially (before switching to Endeavour) for EFI boot to work it has to be mounted to /boot/efi. In order to reinstall the kernel would I just chroot into it and do pacman -S linux-zen? 

[Vincent43]

EFI partition can be mounted as /boot however you need to have enough free space to install all kernels and initramfs there. How much of free space do you have on /boot/efi right now?

[ranenvious]

I believe I only created my /boot/efi partition with 500MB, but if I'm going to move it to /boot anyways and need to reinstall everything, can't I just delete everything in it so the space wouldn't matter?(again, complete and totally new to this. I know the basics of partitioning and whatnot from a few manual arch installs but linux expert I am not so sorry if these are stupid questions) On Friday, October 7, 2022 at 11:27:14 AM EDT, Vincent43 @.***> wrote:

EFI partition can be mounted as /boot however you need to have enough free space to install all kernels and initramfs there. How much of space do you have on /boot/efi right now?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

[Vincent43]

Files stored on EFI boot partition are essential for booting the system so shouldn't delete them. When you mount EFI partition on /boot then it will need to contain all files you had on it before plus all files you had on /boot.